b'                                                                              Issue Date\n                                                                                       November 15, 2011\n                                                                              Audit Report Number\n                                                                                           2012-FO-0003\n\n\n\n\nTO:             David Sidari, Acting Chief Financial Officer, F\n\n                //s//\nFROM:           Thomas R. McEnanly, Director, Financial Audits Division, GAF\n\n\nSUBJECT: Additional Details To Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2011 and\n         2010 Financial Statements\n\n\n                                             HIGHLIGHTS\n\n What We Audited and Why\n\n                 We are required to annually audit the consolidated financial statements of the U.S.\n                 Department of Housing and Urban Development (HUD) in accordance with the\n                 Chief Financial Officers Act of 1990, as amended. Our report on HUD\xe2\x80\x99s fiscal\n                 years 2011 and 2010 financial statements are included in HUD\xe2\x80\x99s Fiscal Year 2011\n                 Annual Financial Report. This report supplements our report on the results of our\n                 audit of HUD\xe2\x80\x99s principal financial statements for the fiscal years ending\n                 September 30, 2011, and September 30, 2010. Also provided are assessments of\n                 HUD\xe2\x80\x99s internal controls and our findings with respect to HUD\xe2\x80\x99s compliance with\n                 applicable laws, regulations, and governmentwide policy requirements and\n                 provisions of contracts and grant agreements.1 In addition, we plan to issue a\n\n\n    1\n       Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included\nin this report but are included in the accounting firm of Clifton Gunderson LLP\xe2\x80\x99s audit of FHA\xe2\x80\x99s financial\nstatements. That report has been published in our report, Audit of Federal Housing Administration Financial\nStatements for Fiscal Years 2011 and 2010 (2012-FO-0002, dated November 07, 2011).\n\n    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD\ncomponent, are not included in this report but are included in the accounting firm of Clifton Gunderson LLP\xe2\x80\x99s audit\nof Ginnie Mae\xe2\x80\x99s financial statements. That report has been published in our report, Audit of Government National\n\n                                                         1\n\x0c                letter to management on or before January 13, 2012, describing other issues of\n                concern that came to our attention during the audit.\n\n What We Found\n\n\n                In our opinion, HUD\xe2\x80\x99s fiscal years 2011 and 2010 financial statements were fairly\n                presented. Our opinion on HUD\xe2\x80\x99s fiscal years 2011 and 2010 financial\n                statements is reported in HUD\xe2\x80\x99s Fiscal Year 2011 Agency Financial Report. The\n                other auditors and our audit also disclosed the following ten significant\n                deficiencies in internal controls related to the need to:\n\n                         Have financial management systems comply with Federal Financial\n                         Management System Requirements;\n                         Continue improvement in the processes for reviewing obligation balances;\n                         Ensure internal controls over Office of Community Planning and\n                         Development (CPD) grantees\xe2\x80\x99 compliance with program requirements are\n                         operating effectively;\n                         Improve administrative control of funds;\n                         Continue improvements in the oversight and monitoring of subsidy\n                         calculations, intermediaries\xe2\x80\x99 program performance, and use of Housing\n                         Choice Voucher program funds;\n                         Further strengthen controls over HUD\xe2\x80\x99s computing environment;\n                         Improve personnel security practices for access to HUD\xe2\x80\x99s critical financial\n                         systems;\n                         Improve compliance control to ensure the safety, completeness, and\n                         validity of collateral loan files;\n                         Strengthen internal control over risk-based issuer and document custodian\n                         reviews to improve the effectiveness of counterparty monitoring and\n                         oversight; and\n                         Effectively analyze and resolve identified information technology security\n                         control deficiencies.\n\n                Our findings include the following five instances of noncompliance with\n                applicable laws and regulations:\n\n                         HUD did not substantially comply with FFMIA regarding system\n                         requirements;\n                         HUD did not substantially comply with the Antideficiency Act;\n                         HUD did not substantially comply with laws and regulations governing\n                         claims of the United States Government;\n\n\nMortgage Association Financial Statements for Fiscal Years 2011 and 2010 (2012-FO-0001), dated November 07,\n2011)\n\n\n\n                                                     2\n\x0c                     FHA\xe2\x80\x99s Mutual Mortgage Insurance Fund capitalization was not\n                     maintained at a minimum capital ratio of 2 percent, which is required\n                     under the Cranston-Gonzalez National Affordable Housing Act of 1990;\n                     and\n                     FHA did not substantially comply with the Federal Financial Management\n                     Improvement Act (FFMIA) regarding system limitations related to\n                     operational effectiveness and efficiency.\n\n           In addition, our audit disclosed another matter, in which HUD did not obligate all\n           of the funds appropriated for the Emergency Homeowners\xe2\x80\x99 Loan Program.\n\nWhat We Recommend\n\n\n           Most of the issues described in this report represent long-standing weaknesses.\n           We understand that implementing sufficient change to mitigate these matters is a\n           multiyear task due to the complexity of the issues, insufficient information,\n           technology systems funding, and other impediments to change. In this and prior\n           years\xe2\x80\x99 audits of HUD\xe2\x80\x99s financial statements, we have made recommendations to\n           HUD\xe2\x80\x99s management to address these issues. Our recommendations from the\n           current audit, as well as those from prior years\xe2\x80\x99 audits that remain open, are listed\n           in appendix B of this report.\n\n           The audit also identified $80.7 million in excess obligations recorded in HUD\xe2\x80\x99s\n           records. We are also recommending that HUD request a congressional recission\n           of $471.8 million in funding originally appropriated for the Emergency\n           Homeowners\xe2\x80\x99 Loan Program but not obligated by the required obligation date.\n           Lastly, we are recommending that HUD seek legislative authority to implement\n           offsets of $820 million against public housing agencies\xe2\x80\x99 (PHA) excess Section 8\n           funding held in net restricted assets accounts at the PHAs and $1 billion in the\n           operating subsidy account. These amounts represent funds that HUD could put to\n           better use.\n\n           For each recommendation without a management decision, please respond and\n           provide status reports in accordance with HUD Handbook 2000.06, REV-4.\n           Please furnish us copies of any correspondence or directives issued because of the\n           audit.\n\nAuditee\xe2\x80\x99s Response\n\n\n           The complete text of the auditee\xe2\x80\x99s response, along with our evaluation of that\n           response, can be found in appendix E and F of this report.\n\n\n\n\n                                             3\n\x0c                          TABLE OF CONTENTS\n\nHighlights                                                                1\n\nInternal Control                                                          5\n\nCompliance With Laws and Regulations                                      63\n\nOther Matters                                                             69\n\nAppendixes\n   A. Objectives, Scope, and Methodology                                  71\n   B. Recommendations                                                     74\n   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   85\n      Remedial Actions\n   D. Schedule of Funds To Be Put to Better Use                           99\n   E. Agency Comments                                                     100\n   F. OIG Evaluation of Agency Comments                                   103\n\n\n\n\n                                        4\n\x0c                                   INTERNAL CONTROL\n\nSignificant Deficiency 1: HUD Financial Management Systems Did\nNot Fully Comply With Federal Financial Management System\nRequirements\nAs reported in prior years, the U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD)\nfinancial management systems did not fully comply with Federal financial management system\nrequirements. HUD did not develop an adequate agencywide financial management systems\nplan. Additionally, HUD had not completed development of an adequate integrated financial\nmanagement system. HUD\xe2\x80\x99s financial systems, many of which were developed and\nimplemented before the issue date of current standards, were not designed to perform or provide\nthe range of financial and performance data currently required. The result is that HUD, on a\ndepartmentwide basis, did not have integrated financial management systems that complied with\ncurrent Federal requirements or provided HUD the information needed to effectively manage its\noperations on a daily basis. This situation could negatively impact management\xe2\x80\x99s ability to\nperform required financial management functions; efficiently manage the financial operations of\nthe agency; and report, on a timely basis, the agency\xe2\x80\x99s financial results, performance measures,\nand cost information. The Office of Community Planning and Development\xe2\x80\x99s (CPD) grants\nmanagement systems had weaknesses in internal control and were also noncompliant with Office\nof Management and Budget (OMB) A-127 Federal financial management systems requirements,\nFederal accounting standards, and application of the U.S. Standard General Ledger (USSGL) at\nthe transactions level.\n\nThis situation could negatively impact management\xe2\x80\x99s ability to perform required financial\nmanagement functions; efficiently manage the financial operations of the agency; and report, on\na timely basis, the agency\xe2\x80\x99s financial results, performance measures, and cost information.\n\n\n\n\n    Agencywide Financial\n    Management Systems Plan Did\n    Not Meet Circular A-127\n    Requirements\n\n\n\n               In fiscal year 2010, we performed an audit to assess HUD\xe2\x80\x99s compliance with the\n               requirements specified in OMB Circular A-127.2 We found that HUD did not\n               comply with the requirements. The Office of Inspector General (OIG) reported in its\n               fiscal year 2008 financial statement audit report that HUD had not performed the\n\n2\n Audit Report Number 2011-DP-0003, \xe2\x80\x95HUD Did Not Fully Comply With the Requirements of OMB Circular A-\n127,\xe2\x80\x96 issued December 3, 2010\n\n                                                  5\n\x0c           OMB Circular A-127-required reviews of its financial management systems for\n           compliance with computer security and internal control guidelines. During our\n           review in fiscal year 2010, we determined that HUD had not taken corrective action\n           to address this weakness and ensure that A-127 compliance reviews were conducted.\n           In October 2011, HUD\xe2\x80\x99s Risk Management Division submitted a revised corrective\n           action plan, which allowed the recommendation from the fiscal year 2008 financial\n           statement audit to be closed.\n\n           As part of our fiscal year 2011 audit, we determined that the agencywide financial\n           management systems plan developed by the Chief Financial Officer (CFO) did not\n           fully meet requirements of OMB Circular A-127. Although the plan developed for\n           fiscal year 2011 contained headers or specific sections for each of the required pieces\n           of information according to Circular A-127, the information included within the\n           document was not sufficient. Specifically, the plan did not address (1) specific\n           modifications or enhancements needed for each financial management system; (2)\n           equipment acquisition information and details regarding system modifications,\n           enhancements, etc., necessary to implement the targeted architecture for each\n           financial management system; (3) cost estimation data related to each specific\n           project; (4) information regarding each financial management system\xe2\x80\x99s life cycle;\n           (5) a projection of the reasonable useful life of each investment; (6) details regarding\n           system upgrades required for each system; or (7) existing problems related to each\n           of the financial management systems. As a result, the plan was not an effective\n           management tool. Without future system enhancement and modification, resource\n           allocation, budgeting, and funding information in its financial management system\n           plans, HUD has no single document that can be used to ensure that agency spending\n           and funding are in line with its business plan and goals.\n\n\nHUD Is Required To\nImplement a Compliant\nFinancial Management System\n\n\n           The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,\n           among other things, that HUD implement and maintain financial management\n           systems that substantially comply with Federal financial management system\n           requirements. The financial management system requirements include\n           implementing information system security controls. The requirements are also\n           included in OMB Circular A-127, \xe2\x80\x95Financial Management Systems.\xe2\x80\x96 Circular A-\n           127 defines a core financial system as an information system that may perform all\n           financial functions including general ledger management, funds management,\n           payment management, receivable management, and cost management. The core\n           financial system is the system of record that maintains all transactions resulting\n           from financial events. It may be integrated through a common database or\n           interfaced electronically to meet defined data and processing requirements. The\n           core financial system is specifically used for collecting, processing, maintaining,\n\n                                              6\n\x0c         transmitting, and reporting data regarding financial events. Other uses include\n         supporting financial planning, budgeting activities, and preparing financial\n         statements.\n\n         As in previous audits of HUD\xe2\x80\x99s financial statements, in fiscal year 2011, there\n         continued to be instances of noncompliance with Federal financial management\n         system requirements. These instances of noncompliance have given rise to\n         significant management challenges that have (1) impaired management\xe2\x80\x99s ability\n         to prepare financial statements and other financial information without extensive\n         compensating procedures, (2) resulted in the lack of reliable, comprehensive\n         managerial cost information on its activities and outputs, and (3) limited the\n         availability of information to assist management in effectively managing\n         operations on an ongoing basis.\n\nHUD\'s Financial Systems Were\nNot Adequate\n\n\n         As reported in prior years, HUD did not have financial management systems that\n         enabled it to generate and report the information needed to both prepare financial\n         statements and manage operations on an ongoing basis accurately and in a timely\n         manner. To prepare consolidated departmentwide financial statements, HUD\n         required the Federal Housing Administration (FHA) and the Government\n         National Mortgage Association (Ginnie Mae) to submit financial statement\n         information on spreadsheet templates, which were loaded into a software\n         application. In addition, all consolidating notes and supporting schedules had to\n         be manually posted, verified, reconciled, and traced. To overcome these systemic\n         deficiencies with respect to preparation of its annual financial statements, HUD\n         was compelled to rely on extensive compensating procedures that were costly,\n         labor intensive, and not always efficient.\n\n         Due to a lengthy HUD Integrated Financial Management Improvement Project\n         (HIFMIP) procurement process and lack of funding for other financial application\n         initiatives, there were no significant changes made in fiscal year 2011 to HUD\xe2\x80\x99s\n         financial management processes. As a result, the underlying system limitations\n         identified in past years remained. Due to the functional limitations of the three\n         applications (HUD Central Accounting Processing System (HUDCAPS), Line of\n         Credit Control System (LOCCS), and Program Accounting System (PAS))\n         performing the core financial system function, HUD was dependent on its data\n         mart and reporting tool to complete the accumulation and summarization of data\n         needed for U.S. Department of the Treasury and OMB reporting.\n\n\n\n\n                                          7\n\x0cHUD\xe2\x80\x99s Financial Systems Did Not\nProvide Managerial Cost Data\n\n\n         In fiscal year 2006, the U.S. Government Accountability Office (GAO) reported\n         in GAO-06-1002R, Managerial Cost Accounting Practices, that HUD\xe2\x80\x99s financial\n         systems did not have the functionality to provide managerial cost accounting\n         across its programs and activities. This lack of functionality resulted in the lack\n         of reliable and comprehensive managerial cost information on its activities and\n         outputs. HUD lacked an effective cost accounting system that was capable of\n         tracking and reporting costs of HUD\xe2\x80\x99s programs in a timely manner to assist in\n         managing its daily operations. This condition rendered HUD unable to produce\n         reliable cost-based performance information.\n\n         HUD officials indicated that various cost allocation studies and resource\n         management analyses were required to determine the cost of various activities\n         needed for mandatory financial reporting. However, this information is widely\n         distributed among a variety of information systems, which were not linked and,\n         therefore, could not share data. This condition made the accumulation of cost\n         information time consuming, labor intensive, untimely, and ultimately made that\n         cost information not readily available. Budget, cost management, and\n         performance measurement data were not integrated because HUD\n\n             Did not interface its budget formulation system with its core financial system;\n\n             Lacked the data and system feeds to automate a process to accumulate,\n             allocate, and report costs of activities on a regular basis for financial reporting\n             needs, as well as internal use in managing programs and activities;\n             Did not have the capability to derive current full cost for use in the daily\n             management of HUD operations; and\n             Required an ongoing extensive quality initiative to ensure the accuracy of the\n             cost aspects of its performance measures as they were derived from sources\n             outside the core financial system.\n\n         While HUD had modified its resource management application to enhance its cost\n         and performance reporting for program offices and activities, the application did\n         not use core financial system processed data as a source. Instead, HUD used a\n         variety of applications, studies, and models to estimate the cost of its program\n         management activities. One of these applications, TEAM/REAP, was designed\n         for use in budget formulation and execution, strategic planning, organizational\n         and management analyses, and ongoing management of staff resources. It was\n\n\n                                            8\n\x0c             enhanced to include an allocation module that added the capability to tie staff\n             distribution to strategic objectives and HUD program offices\xe2\x80\x99 management plans.\n\n             Additionally, HUD had developed time codes and an associated activity for nearly\n             all HUD program offices to allow automated cost allocation to the program office\n             activity level. HUD indicated that the labor costs that would be allocated to these\n             activities would be obtained from the HUD payroll service provider. However,\n             because the cost information did not pass through the general ledger, current\n             Federal financial management requirements were not met.\n\nFinancial Systems Did Not\nProvide for Effective and\nEfficient Financial\nManagement\n\n\n             During fiscal year 2011, HUD\xe2\x80\x99s financial information systems did not allow it to\n             achieve its financial management goals in an effective and efficient manner in\n             accordance with current Federal requirements. To perform core financial system\n             functions, HUD depended on three major applications, in addition to a data\n             warehouse and a report-writing tool. Two of the three applications that performed\n             core financial system functions required significant management oversight and\n             manual reconciliations to ensure accurate and complete information. HUD\xe2\x80\x99s use\n             of multiple applications to perform core financial system functions further\n             complicated financial management and increased the cost and time expended.\n             Extensive effort was required to manage and coordinate the processing of\n             transactions to ensure the completeness and reliability of information.\n\n             Additionally, the interface between the core financial system and HUD\xe2\x80\x99s\n             procurement system did not provide the required financial information. The\n             procurement system interface with HUDCAPS did not contain data elements to\n             support the payment and closeout processes. Also, the procurement system did\n             not interface with LOCCS and PAS. Therefore, the processes of fund\n             certification, obligation, deobligation, payment, and closeout of transactions that\n             were paid out of the LOCCS system were all completed separately, within either\n             PAS or LOCCS. This lack of compliance with Federal requirements impaired\n             HUD\xe2\x80\x99s ability to effectively monitor and manage its procurement actions.\n\n HUD\xe2\x80\x99s Plans To Implement a\n Departmentwide Core\n Financial System Were\n Underway\n\n             HUD\xe2\x80\x99s plans to implement a commercial Federal certified core financial system\n             and integrate the current core financial system into one departmentwide core\n             financial system were underway. FHA and Ginnie Mae had implemented a\n\n                                               9\n\x0c            compatible and compliant system to support the transition to the enterprise core\n            financial system. HUD originally planned to select a qualified shared service\n            provider to host the enterprise system and integrate the three financial systems\n            (HUD, FHA, and Ginnie Mae) into a single system by fiscal year 2015.\n            Achieving integrated financial management for HUD would result in a reduction\n            in the total number of systems maintained, provide online, real-time information\n            for management decision making, enable HUD to participate in E-government\n            initiatives, and align with HUD\xe2\x80\x99s information technology modernization goals.\n\n            HIFMIP, launched in fiscal year 2003, had been plagued by delays. HIFMIP was\n            intended to modernize HUD\xe2\x80\x99s financial management systems in accordance with\n            a vision consistent with administration priorities, legislation, OMB directives,\n            modern business practices, customer service, and technology. HUD believed that\n            at some point, HIFMIP would encompass all of HUD\xe2\x80\x99s financial systems,\n            including those supporting FHA and Ginnie Mae. HUD had intended to begin the\n            implementation in fiscal year 2006. Due to delays with the procurement process,\n            however, the contract for HIFMIP was not awarded until September 2010.\n\n            OMB reviewed HIFMIP and recommended that HUD give additional\n            consideration to its (1) categorization of risk and mitigation strategies, (2)\n            governance structure to ensure appropriate leadership is in place to support the\n            project, and (3) funding strategy to give more time to assess whether the current\n            approach is viable. As a result of OMB\xe2\x80\x99s recommendations, HUD agreed to\n            rescope HIFMIP to address only the department-level portion. Based on HUD\xe2\x80\x99s\n            agreement to rescope the project, OMB approved the 18-month base period.\n            Additional approvals will be needed for the option periods associated with\n            HIFMIP. The planned \xe2\x80\x95go live\xe2\x80\x96 date for the first phase of HIFMIP has been\n            revised from March 2012 to May 2012. Until its core financial system is fully\n            implemented, we believe the following weaknesses with HUD\xe2\x80\x99s financial\n            management systems will continue:\n\n                HUD\xe2\x80\x99s ability to prepare financial statements and other financial information\n                will require extensive compensating procedures.\n\n                HUD will have limited availability of information to assist management in\n                effectively managing operations on an ongoing basis.\n\n\nCFO is Required to Ensure CPD\nFinancial Management Systems\nAre Compliant with OMB A-127\nWith OMB A-127\n           The CFO is responsible for overseeing all financial management activities relating\n           to the programs and operations of the agency and developing and maintaining an\n           integrated agency accounting and financial management system, including\n           financial reporting and internal controls, which complies with applicable\n\n                                            10\n\x0c                  accounting principles, standards, and requirements, and internal control standards,\n                  as well as, any other requirements applicable to such standards. Additionally, the\n                  CFO is responsible for directing, managing and providing policy guidance and\n                  oversight of agency financial management personnel, activities, and operations,\n                  including the approval and management of agency financial management systems\n                  design or enhancement projects. A financial system is an information system that\n                  may perform all financial functions including general ledger management, funds\n                  management, payment management, receivable management, and cost\n                  management. The core financial system is the system of record that maintains all\n                  transactions resulting from financial events.3 The core financial system is\n                  specifically used for collecting, processing, maintaining, transmitting, and\n                  reporting data regarding financial events. Any data transfers to the core financial\n                  system must be traceable to the transaction source, posted to the core financial\n                  system in accordance with applicable guidance from the Federal Accounting\n                  Standards Advisory Board (FASAB), and in the data format of the core financial\n                  system. A mixed system is an information system that can support both financial\n                  and nonfinancial functions.\n\n                  A financial management system includes the core financial systems and the\n                  financial portions of mixed systems necessary to support financial management,\n                  including automated and manual processes, procedures, and controls; data;\n                  hardware; software; and support personnel dedicated to the operation and\n                  maintenance of system functions. The following are examples of financial\n                  management systems: core financial systems, procurement systems, loan\n                  systems, grants systems, payroll systems, budget formulation systems, billing\n                  systems, and travel systems.\n\n                  The Integrated Disbursement Information System (IDIS) Online and the Disaster\n                  Recovery Grant Reporting (DRGR) systems are used by CPD to support both the\n                  financial and nonfinancial functions necessary for the management of CPD\xe2\x80\x99s\n                  grant programs.4 The systems were developed to enable grantees to identify\n                  activities funded under their action plans, to include budgets; report\n                  accomplishments on the activities, which facilitate HUD\xe2\x80\x99s reporting on\n                  performance goals; and report program income when applicable. To receive\n                  funding, these grantees must prepare a citizen participation plan, publish their\n                  proposed use of the funds, and submit an action plan to HUD. Once an action\n                  plan is submitted and approved, grantees can submit quarterly reports\n\n3\n  A financial event is any activity having financial consequences to the Federal Government related to the receipt of\nappropriations or other financial resources; acquisition of goods or services; payments or collections; recognition of\nguarantees, benefits to be provided, or other potential liabilities; distribution of grants; or other reportable financial\nactivities.\n4\n  IDIS supports the four CPD formula grant programs: Community Development Block Grant (CDBG), HOME\nInvestment Partnerships (HOME), Emergency Shelter Grants (ESG), and Housing Opportunities for Persons With\nAIDS (HOPWA) and the related American Recovery and Reinvestment Act programs: CDBG-Recovery, Tax\nCredit Assistance Payment (TCAP), and Homelessness Prevention and Rehabilitation Program (HPRP). DRGR\nsupports the Disaster Recovery CDBG program and other special appropriations, such as the three rounds of funding\nof the Neighborhood Stabilization Program.\n\n                                                           11\n\x0c                summarizing obligations, expenditures, drawdowns, and accomplishments for all\n                of their CPD-funded activities.\n\n                Annually, IDIS\xe2\x80\x99s and DRGR\xe2\x80\x99s compliance status, as determined by HUD, is\n                reported in HUD\xe2\x80\x99s Agency Financial Report. The financial portions of IDIS and\n                DRGR, which store the transaction-level detail of the grant payments, are\n                interfaced with HUD\xe2\x80\x99s core financial systems.5 Additionally, IDIS and DRGR\n                are the systems through which the grantees request funding from their grants and,\n                thus, perform the payment management function for those grants. As a financial\n                management system, CPD and CFO are responsible for ensuring IDIS and DRGR\n                comply with the standards included within OMB A-127. Therefore, the\n                transaction-level data, which are summarized, must be posted to the core financial\n                statements using proper USSGL accounts and accounting standards, and the\n                systems must comply with Federal financial management system requirements.\n                Although the OIG has reported significant internal control deficiencies6 and has\n                reported IDIS non-compliant with FFMIA, OMB A-127, and federal financial\n                accounting standards in fiscal years 2009, 20107, and 2011, the system is still\n                reported, by the CFO, as compliant in the Department\xe2\x80\x99s Agency Financial Report.\n                The system is reported as compliant by the Department without CFO\xe2\x80\x99s review or\n                research into OIG\xe2\x80\x99s basis for determining IDIS as noncompliant.\n\n    CPD\xe2\x80\x99s Grants Management\n    Systems Did Not Comply With\n    Federal Financial System\n    Requirements\n\n\n                The Federal financial management system requirements consist of three parts: (1)\n                computer security requirements, which are defined by the Federal Information\n                Security Management Act (FISMA) and Circular A-130 or successor documents;\n                (2) internal controls requirements, which are the internal control objectives of\n                Circular A-123; and (3) core financial system requirements, which are defined by\n                the Federal Systems Integration Office (FSIO).\n\n                First, OIG has determined that CPD\xe2\x80\x99s financial management systems did not meet\n                the computer security requirements of A-127. As part of the fiscal year 2010\n                Federal Information System Controls Audit Manual (FISCAM) audit, OIG\n\n5\n  The payment requests from the systems are interfaced with LOCCS, which feeds into HUD\xe2\x80\x99s core financial\nsystems and is used to disburse funds. LOCCS then passes the disbursement information to PAS and HUDCAPS,\nwhich are the accounting systems used to generate the financial statements.\n6\n  Audit report number 2012-PH-0001, \xe2\x80\x95HUD Needed to Improve its Use of its Integrated Disbursement and\nInformation System to Oversee its Community Development Block Grant Program,\xe2\x80\x96 issued October 31, 2011.\n7\n  Audit Report number 2010-FO-0003, \xe2\x80\x95Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2009\nand 2008 Financial Statements\xe2\x80\x96, issued November 16, 2009 and Audit Report number 2011-FO-0003, \xe2\x80\x95Additional\nDetails to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2010 and 2009 Financial Statements\xe2\x80\x96, issued November\n15, 2010.\n\n                                                    12\n\x0c                determined that HUD did not ensure that adequate application controls for the\n                IDIS Online system were properly put in place and operating effectively.8 OIG\n                noted the following deficiencies within IDIS: (1) incompatible functions such as\n                system administration and security administration were not adequately separated,\n                and (2) there was no formal user recertification process to ensure that all users\n                were properly recertified. These weaknesses existed because CPD designed IDIS\n                with decentralized security without adequate controls in place to ensure that the\n                overall security of the application remained within the control of HUD staff. By\n                not separating incompatible system administration and security responsibilities\n                and reviewing the continued appropriateness of access to the financial systems,\n                HUD increased its risk that sensitive financial data could be modified, disclosed,\n                or misused or that erroneous or fraudulent transactions would be processed. The\n                recommendations for the findings identified remained unimplemented.\n\n                In an audit of DRGR during fiscal year 2011,9 OIG determined that the DRGR\n                program office\xe2\x80\x99s application security management program had weaknesses.\n                Specifically, the DRGR system security documentation had not been updated to\n                reflect current information about the system and its environment, and although the\n                DRGR system had been classified as a mission-critical system, it was not tested\n                during the most recent annual disaster recovery test. These conditions occurred\n                because DRGR program officials failed to communicate with the Office of the\n                Chief Information Officer (OCIO) to ensure that security controls of their system\n                were adequate and their system documentation was up to date. As a result, the\n                necessary security controls may not have been implemented. In addition, since\n                the contingency plan had not been adequately tested, the effectiveness of the plan\n                or the system\xe2\x80\x99s readiness to deal with a potential disaster could not be determined.\n\n                Control activities include policies, procedures, and mechanisms in place to help\n                ensure that agency objectives are met and ensure that resource use is consistent\n                with laws, regulations, and policies; resources are safeguarded against waste, loss,\n                and misuse; and reliable data are obtained, maintained, and disclosed in reports.\n                Internal controls also need to be in place over information systems, both general\n                and application control. General control applies to all information systems such\n                as the mainframe, network, and end-user environments and includes agencywide\n                security program planning, management, control over data center operations,\n                system software acquisition, and maintenance. Application control should be\n                designed to ensure that transactions are properly authorized and processed\n                accurately and that the data are valid and complete. Controls should be\n                established at an application\xe2\x80\x99s interfaces to verify inputs and outputs, such as edit\n                checks. General and application controls over information systems are\n                interrelated; both are needed to ensure complete and accurate information\n\n\n8\n Audit report number 2011-DP-0004 \xe2\x80\x93\xe2\x80\x95Fiscal Year 2010 FISCAM Report,\xe2\x80\x96 issued January 14, 2011\n9\n Audit report number 2011-DP-0008 \xe2\x80\x93 \xe2\x80\x95The Disaster Recovery Grant Reporting System That Maintained Recovery\nAct Information Had Application Security Control Deficiencies,\xe2\x80\x96 issued July 28, 2011\n\n\n                                                   13\n\x0c                  processing. Due to the rapid changes in information technology, controls must\n                  also adjust to remain effective.\n\n                  Secondly, CPD management did not maintain effective internal controls over\n                  financial reporting within the information systems. Our review found that DRGR\n                  did not have a sufficient data modification process in place to protect financial\n                  transaction data and audit trails from being overwritten. In addition, CPD did not\n                  maintain proper internal controls or adequate audit trails in IDIS to ensure that\n                  transactions were properly authorized and processed accurately and that the data\n                  were valid and complete to ensure that agency objectives were met; resource use\n                  was consistent with laws, regulations, and policies; and resources were\n                  safeguarded against waste, loss, and misuse. In both systems, the transaction-\n                  level data detailing how grantees used funding provided by HUD were not\n                  transferred to HUD\xe2\x80\x99s core financial applications. The detailed financial\n                  transaction data were only maintained within the mixed systems; therefore, IDIS\n                  and DRGR were the financial management systems of record for these data, since\n                  only summary information was transferred and maintained in the core financial\n                  systems. However, OIG found that grantees were able to modify the detailed\n                  financial transactions within the systems, ultimately altering and in some cases,\n                  eroding audit trails without approval by CPD. In addition, IDIS\xe2\x80\x99s design and\n                  implementation of adequate budget controls was deficient.\n\n                  Specifically, CPD allowed DRGR grantee users to modify voucher transactions\n                  (financial events or transactions) to reflect changes to program cost allocation\n                  information between activities (the allocation of funds drawn for specific\n                  activities). As a result, reconciliation between DRGR and HUD\xe2\x80\x99s core financial\n                  applications was cumbersome and time consuming. The situation was further\n                  aggravated because (1) DRGR did not maintain the full voucher number for\n                  payment transactions recorded in LOCCS, (2) CPD allowed revision of all or part\n                  of the original distribution, (3) CPD did not require grantees to record a reason or\n                  justification for making the change within DRGR, (4) CPD allowed voucher\n                  modifications to be made until the grant was closed out, and (5) CPD did not\n                  require grantee users to obtain approval from HUD for each modification\n                  transaction.10\n\n                  In addition, CPD did not adequately use IDIS to provide oversight of activities\n                  under its CDBG program. As a result, HUD was unaware of how grantees used\n                  almost $67 million that were provided to grantees to fund more than 1,300\n                  activities that grantees later cancelled in IDIS. In addition, HUD lacked adequate\n                  oversight of almost $3 billion used to fund more than 20,000 long-standing11 open\n                  activities that grantees had reportedly not completed for up to 11 years. Further,\n                  IDIS did not support internal control activities to help ensure that agency\n\n10\n   Notification of Finding and Recommendation - FISCAM-07, \xe2\x80\x95DRGR Does Not Have A Sufficient Process In\nPlace to Protect Detailed Financial Transaction Data From Being Overwritten\xe2\x80\x96, Issued October 17, 2011\n11\n   For purposes of this review, OIG defined a long-standing program activity as an activity that remained open for at\nleast 5 years after it was funded through a grantee\xe2\x80\x99s annual consolidated plan.\n\n                                                         14\n\x0c                  objectives were met and ensure that resources used were safeguarded against\n                  waste, loss, and misuse. 7\n\n                  OIG also noted during the fiscal year 2011 audit that the IDIS system only stored\n                  the last update to any given activity record, which would make it difficult for\n                  CPD to provide oversight of activities, as well as obtain an adequate audit trail to\n                  determine whether resources were spent to achieve expected results.\n\n                  Without reliable and timely financial information, government managers have\n                  limited assurance that resources were spent to achieve expected results. In\n                  addition, the ability to evaluate program effectiveness and detect waste and\n                  inefficiency is diminished when audit trails are cumbersome, detailed information\n                  regarding transactions is not maintained, and approvals for data modifications are\n                  not required.\n\n                  Budget controls are part financial reporting and part compliance controls and\n                  provide reasonable assurance that budgetary transactions, such as obligations and\n                  outlays, are properly recorded, processed, and summarized to permit the\n                  preparation of the financial statements; primarily the statement of budgetary\n                  resources, in accordance with U.S. generally accepted accounting principles\n                  (GAAP). Budget controls are generally compliance controls in that they provide\n                  reasonable assurance that transactions are executed in accordance with laws\n                  governing the use of budget authority. In fiscal year 2009, we found that the\n                  design and implementation of adequate budget controls in IDIS were\n                  deficient as a result of CPD\xe2\x80\x99s decision to charge grant disbursement drawdowns\n                  from the oldest budget fiscal year (BFY) appropriation funding source available at\n                  the time of drawdown without regard for the original source of funding for the\n                  corresponding obligation recorded. CPD refers to this practice as FIFO (first-in,\n                  first-out). This process results in a mismatching of obligations and outlays.\n\n                  We found the monetary impact of using FIFO and incorrectly mismatching BFY\n                  fund sources to be significant, with almost $44 billion of CPD\xe2\x80\x99s formula program\n                  grants citing the mismatched BFY appropriation as a source of funds for\n                  disbursement since fiscal year 2002.12 Our review of the payment transaction\n                  history in IDIS indicated that beginning with fiscal years 2002 through October\n                  13, 2011, approximately 4.5 billion payments were completed for a total of $72.4\n                  billion, of which 57 percent, or 2.6 million payments, and approximately 61\n                  percent, or $44 billion, did not match the source and use of funds. Thus, the funds\n                  disbursed for activities set up13 under a given grant\xe2\x80\x99s BFY appropriation were\n                  disbursed from grants awarded with BFY appropriations before that grant year\n\n12\n   This is the first year that all CPD formula grants were appropriated under a fixed-year treasury symbol and no\nlonger received no-year annual appropriations.\n13\n   For purposes of the analysis, \xe2\x80\x95set up\xe2\x80\x96 refers to the process of specifically identifying an activity under a specific\nBFY appropriation grant award and allocating estimated amounts expected to complete an activity in IDIS.\nActivities are the manner in which grantees further identify the source and use of funds and reconcile to their annual\nbudget of their grant awards.\n\n                                                          15\n\x0c                  due to the FIFO process. For fiscal year 2011 alone, there were almost 226,000\n                  payments totaling almost $4.1 billion which were mismatched. In addition, $55.7\n                  million of disbursements made from fiscal year 2004 obligations during fiscal\n                  year 2011, from fiscal year 2004 obligations, did not match the source of funds,\n                  due to FIFO. These payments should have been disbursed from a fiscal year\n                  subsequent to 2004. If FIFO was not used and the payments were properly\n                  matched to the source of funds, in accordance with the National Defense\n                  Authorization Act (NDAA) of 199114, the $55.7 million would have been\n                  returned to the U.S. Treasury at the end of fiscal year 2011.\n\n                  According to the grants\xe2\x80\x99 funds control plans, the legal point of obligation is when\n                  an acceptable annual plan is submitted, establishing what should be the BFY\n                  projects and activities, and the assistance award or amendment is signed. The\n                  point of obligation using the BFY defines the source of funds and establishes the\n                  timeframes for suballocation, expenditures, and when the funds are returned to the\n                  U.S. Treasury if not expended. This process is in accordance with GAO\xe2\x80\x99s Title\n                  2,15 which recognizes that the accounting for a Federal assistance award begins\n                  with the execution of an agreement or the approval of an application in which the\n                  amount and purposes of the grant, the performance periods, the obligations of the\n                  parties to the award, and other terms are established. The execution of these\n                  obligation agreements initiates a financial transaction and requires CPD to record\n                  an obligation in its financial accounting records, and to identify a related BFY\n                  source of funding for the agreement in accordance with Federal budgetary\n                  accounting laws and GAAP. This source BFY, which is identified at the point of\n                  obligation and at the initiation of the financial transaction event, is required by\n                  budgetary internal controls to remain constant and be identified with each use of\n                  the funds by the grantee. This is especially necessary for recording related\n                  financial transactions and the event of the obligation established.\n\n                  The logic used by IDIS and CPD to select the source of funds, rather than\n                  properly identifying and matching the source and use of funds, demonstrates an\n                  internal control deficiency. CPD\xe2\x80\x99s definition of \xe2\x80\x95source of funds\xe2\x80\x96 takes into\n                  account the source of funding being only that of either a State grantee or\n                  entitlement grantee and the type of money (program income versus entitlement\n                  grant funds, etc.). It disregards the Federal budgetary fiscal year source of funds.\n                  CPD describes how FIFO is applied in a procurement document in the following\n                  manner:\n\n\n\n14\n   The National Defense Authorization Act of 1991 (Public Law 101-510, November 5, 1990) established rules\ngoverning the availability of appropriations for expenditure. This legislation mandates that on September 30th of the\nfifth fiscal year after the period of availability for obligation of a fixed appropriation account ends, the account shall\nbe closed and any remaining balance (whether obligated or unobligated) in the account shall be canceled and\nthereafter shall not be available for obligation or expenditure for any purpose.\n15\n    Accounting Principles, Standards and Requirements; Title 2 Standards Not Superseded by FASAB Issuances,\nfrom GAO Policy and Procedures Manual for Guidance of Federal Agencies\n\n\n                                                           16\n\x0c       The FIFO technique is applied to funds having the same grant\n       program, source of funds, recipient of funds, and type of funds.\n       The grant year is used to order the funds from oldest year to\n       newest year. When a grantee commits funds to an activity (by\n       funding an activity using the activity funding function), the funds\n       are committed from the oldest funds having the same source of\n       funds, recipient of funds, and type of funds. The grantee is\n       unaware of the year from which the funds are committed.\n       Similarly, when a grantee draws funds, the funds are drawn from\n       the oldest funds having the same source of funds, recipient of\n       funds, and type of funds.\n\nAt issue is CPD\xe2\x80\x99s and IDIS\xe2\x80\x99s treatment of the source of grant funds. Based on\nour review and discussion with CPD staff, we found that CPD used a different\nmeaning and application technique for source of funds depending on what action\nwas taken. At the point of obligation, a BFY appropriation source year was used\nto obligate the funds to a State or entitlement grantee. When an activity was\nestablished and funded, CPD would match the State or entitlement grantee source\nand type of funding and may have used the oldest BFY appropriation source of\nfunds to allocate funds for the estimated costs for the activity. At disbursement,\nCPD and IDIS would match the State or entitlement grantee source and type of\nfunding and use the oldest BFY appropriation source of funds to disburse funding\nto pay for an activity.\n\nWhile a grantee\xe2\x80\x99s program year may not line up with a Federal fiscal year due to\nwhen agreements are signed, the achievements, projects, and activity costs\nrecorded in the IDIS Online system must be reconcilable with the BFY\nappropriation source year in which the funding was approved. Arbitrarily\nliquidating the funding from the oldest available BFY appropriation source for the\nfund type associated with the activity is not in line with budgetary internal\ncontrols requirements.\n\nAs noted in CPD\xe2\x80\x99s definition and application of FIFO, the BFY appropriation was\nnot considered except as identification for the source of funds. CPD described the\nBFY as the grant year, and its only purpose was to order the funds from oldest to\nnewest. CPD\xe2\x80\x99s position of mingling all of the grant year (BFY appropriation)\nfunds together and simply ordering them from oldest to newest and using FIFO is\nbased on its belief that the purpose of block grants is to provide the grantees a\ngreat deal of flexibility in managing their projects. While this may have been the\nsimplest way to manage grants at the start of the programs, which was before\nFASAB, budget controls, the NDAA, and other recently implemented Federal\nfinancial management acts, it ignores how FIFO affects these aspects of financial\nreporting and is also noncompliant with Federal financial reporting requirements.\n\n\n\n\n                                17\n\x0c                 During the fiscal year 2009 audit, OIG identified programmatic issues, which\n                 resulted in the accumulation of undisbursed funds for the HOME program16.\n                 However, during fiscal year 2010, CPD did not review the old Community\n                 Housing Development Organizations (CHDO) and subgrantee commitments to\n                 determine whether a use for the funding existed, and if not, whether de-obligation\n                 of funds was warranted, and CPD did not develop a policy to track CHDOs and\n                 subgrantees expenditures separately, as agreed. Instead, CPD decided to modify\n                 IDIS to implement \xe2\x80\x96Financial Control Enhancements\xe2\x80\x96, which CPD believes will\n                 resolve the risk of HOME grantees losing project funds due to idiosyncratic\n                 accounting rules in IDIS Online. CPD stated the changes would alter the way the\n                 system currently operates under limited FIFO functionality for HOME, and\n                 results in the system drawing newer money before older funds, unintentionally\n                 leaving pockets of older funds that become subject to recapture \xe2\x80\x93 even if the funds\n                 are reserved to organizations or committed to projects.\n\n                 These modifications, also known as "true-FIFO" would no longer be challenged\n                 by the recipient of funds for CHDOs and subgrantees and will only be challenged\n                 by the source and type of funds in the HOME program by the participating\n                 jurisdiction. OIG has previously communicated that the modifications to IDIS are\n                 inappropriate and coupled with the internal control deficiencies previously cited,\n                 would further erode CPD\xe2\x80\x99s ability to monitor actual performance by its\n                 participating jurisdictions and CHDOs.\n\n                 As the CFO is responsible for the approval and management of agency financial\n                 management systems design or enhancement projects, OIG recommended HUD\n                 to suspend work on this task immediately until a review of how appropriate\n                 compliant business processes can be integrated into IDIS\xe2\x80\x99s programming was\n                 conducted. However, CPD has disregarded OIG\xe2\x80\x99s position, and has committed $1\n                 million of HUD\xe2\x80\x99s Transformation Initiative toward implementing these changes,\n                 which are in direct contradiction to OIGs finding surrounding IDIS\' non-\n                 compliance with the internal control objectives of federal financial management\n                 system requirements and federal accounting standards.\n\n                 Lastly, the applicable FSIO financial system requirements for the CPD financial\n                 systems are defined by the Grant Financial System Requirements, JFMIP-SR-00-\n                 3 (June 2000). The Grant Financial System Requirements state that \xe2\x80\x95All grant\n                 financial systems must provide, as a minimum, the following qualities:\n\n                          Complete and accurate funds control;\n                          Complete, accurate, and prompt recording of obligations;\n                          Complete, accurate, and prompt payment of grantee payment requests;\n\n16\n  OIG determined that these funds had accumulated due to poor performing Community Housing Development\nOrganizations (CHDOs); subgrantees that were not expending funds timely; and the program\xe2\x80\x99s cumulative\naccounting techniques. This is discussed further under Significant Deficiency 3: Office of Community Planning and\nDevelopment\'s (CPD) Internal Controls over Monitoring Grantees\xe2\x80\x99 Compliance with Program Requirements Were\nNot Operating Effectively.\n\n                                                       18\n\x0c                  Complete, accurate, and prompt generation and maintenance of grant\n                  financial records and transactions;\n                  Timely and efficient access to complete and accurate information, without\n                  extraneous material, to those internal and external to the agency who\n                  require the information;\n                  Timely and proper interaction of the grant financial system with core\n                  financial systems and other existing automated systems; and\n                  Adequate internal controls to ensure that the grant financial system is\n                  operating as intended.\n\n           Payment requests require the following information in the request:\n\n                  Grantee name and identifier\n                  Amount requested\n                  Grantee official authorized to submit request\n                  Authorized grantee\xe2\x80\x99s information\n                  Amount of funds authorized\n                  Amount approved\n                  Amount disallowed\n                  Program funding codes\n                  Appropriation code(s)\n\n           In addition, the Financial Reporting Process Flow section of the Grant Financial\n           System Requirements provides that \xe2\x80\x95sufficient and appropriate information must\n           be maintained for reconciliation with the agency\xe2\x80\x99s core financial system.\xe2\x80\x96\n\n           As noted above, IDIS did not maintain grant financial records and transactions, as\n           grantees had the ability to change the details of financial records and transactions.\n           The system maintained only a record of the last change and did not maintain an\n           audit trail. In addition, during the payment request process in IDIS, the request\n           did not include or require the appropriation code; hence, the system arbitrarily\n           selected the oldest appropriation code (BFY) to use for the payment.\n\nCPD\xe2\x80\x99s Grants Management\nSystems Did Not Comply With\nFederal Accounting Standards\n\n\n           Agency financial management systems must maintain accounting data to permit\n           reporting in accordance with Federal accounting standards and reporting\n           requirements issued by the Director of OMB or the Secretary of the Treasury.\n           Statement of Federal Financial Accounting Standards 4: Managerial Cost\n           Accounting Standards states that cost assignments should be directly traceable to\n           the original common data source.\n\n\n\n                                            19\n\x0c                    Statement of Federal Financial Accounting Concepts 1: Objective of Federal\n                    Financial Reporting Standards states that financial reporting should assist in\n                    fulfilling the Government\xe2\x80\x99s duty to be publicly accountable for funds raised\n                    through taxes and other means and for their expenditure in accordance with the\n                    appropriations laws that establish the Government\xe2\x80\x99s budget for a particular fiscal\n                    year and related laws and regulations. Federal financial reporting should provide\n                    information that helps the reader to determine how information on the use of\n                    budgetary resources relates to information on the costs of program operations and\n                    whether information on the status of budgetary resources is consistent with other\n                    accounting information on assets and liabilities.\n\n                    As grantees can change the information used to provide the data used for\n                    performance reporting, the systems lack reliable and comprehensive managerial\n                    cost information on grantee activities and outputs. When grantees alter the detail\n                    of the accounting transactions and that information is in contrast to the\n                    information reported in the core financial systems and reported in the external\n                    financial reports, the information reported to external parties regarding the\n                    performance is not traceable to the common data source. This is especially true as\n                    the information has the ability to change across financial reporting periods\n                    without CPD\xe2\x80\x99s knowledge. CPD lacked an effective cost accounting system that\n                    was capable of tracking and reporting costs of CPD\xe2\x80\x99s programs in a timely\n                    manner to assist in managing its daily operations. This condition rendered HUD\n                    unable to produce reliable cost-based performance information. In addition, as\n                    the process of FIFO does not allow the costs of performing the grantee activities\n                    to be traceable to an original data source, the process of accumulating cost\n                    information was time consuming, labor intensive, untimely, and ultimately made\n                    that cost information not readily available. Without reliable and timely financial\n                    information, government managers have limited assurance that resources were\n                    spent to achieve expected results. In addition, the ability to evaluate program\n                    effectiveness and detect waste and inefficiency is diminished when audit trails are\n                    cumbersome, detailed information regarding transactions is not maintained, and\n                    approvals for data modifications are not required.\n\n                    HUD\xe2\x80\x99s Uniform Administrative Requirements for Grants and Cooperative\n                    Agreements17 requires that grantee financial management systems provide for (1)\n                    accurate, current, and complete disclosure of the financial results of each federally\n                    sponsored project or program and (2) records that identify adequately the source\n                    and application of funds for federally sponsored activities. These records must\n                    contain information pertaining to Federal awards, authorizations, obligations,\n                    unobligated balances, assets, outlays, income and interest, and comparison of\n                    outlays with budget amounts for each award. Whenever appropriate, financial\n                    information should be related to performance and unit cost data and accounting\n                    records including cost accounting records that are supported by source\n                    documentation. Accordingly, grantees, to be in compliance with U.S. GAAP as\n                    well as OMB and HUD requirements, are required to account for these grants on a\n17\n     24 Code of Federal Regulations (CFR), Title 24, Part 84 and 85\n\n                                                          20\n\x0c            BFY appropriation and grant-year basis and must identify the source and use of\n            funds for all financial transactions and support cost accounting. However, as\n            CPD has implemented the use of FIFO to arbitrarily record performance of\n            financial transactions and allow grantees to alter the data related to cost\n            accounting, their financial management systems are not capable of functioning at\n            the same level they require their grantee\xe2\x80\x99s financial management systems.\n\nCPD\xe2\x80\x99s Grants Management\nSystems Did Not Comply\nWith the U.S. General Ledger\nat the Transaction Level\n\n\n            Financial events shall be recorded applying the requirements of the USSGL.\n            Application of the USSGL at the transaction level means that each time an\n            approved transaction is recorded in the system, it will generate appropriate\n            general ledger accounts for posting the transaction according to the rules defined\n            in the USSGL guidance.\n\n            OIG noted during our review of DRGR, that when grantees altered the voucher\n            transactions in the system, as voucher transactions are approved financial\n            transactions, it altered the supporting detail of the financial transaction and did not\n            generate the appropriate general ledger accounts for posting the transaction in\n            accordance with USSGL at the transaction level.\n\n            In addition, as noted above, during the payment request process in IDIS, the\n            request did not include or require the appropriation code; hence, the system\n            arbitrarily selected the oldest appropriation code (BFY) to use for the payment. It\n            did not generate the correct appropriate general ledger accounts for posting the\n            transaction according to the rules in the USSGL guidance, which requires outlays\n            of obligations to be recorded against the obligation.\n\n\n\n\n                                              21\n\x0cSignificant Deficiency 2: HUD\xe2\x80\x99s Processes for Reviewing Its\nObligations Had Improved, but Deficiencies Still Existed\nHUD had made progress over the past several years in improving its processes for reviewing its\noutstanding obligations and recapturing amounts no longer needed to fund them. However,\ndeficiencies still existed that allowed invalid obligations to remain in HUD\xe2\x80\x99s accounting records.\nThis condition occurred because of a lack of resources and inadequate procedures. This has been\na long-standing weakness.\n\nIn fiscal year 2011, HUD\xe2\x80\x99S CFO coordinated a review of unliquidated obligations to determine\nwhether the obligations should be continued, reduced, or canceled. The review encompassed all\nof HUD\xe2\x80\x99s unliquidated obligations except those for the Section 8 project-based and tenant-based\nmoderate rehabilitation programs and Sections 235 and 236 interest reduction and rental\nassistance and rent supplement programs, which were subjected to separate reviews led by the\nprogram offices. We evaluated HUD\xe2\x80\x99s internal controls for monitoring obligated balances and\nfound that HUD had continued its progress in implementing improved procedures and\ninformation systems. However, additional improvements are needed. Our review of the fiscal\nyear 2011 yearend obligation balances showed that timely reviews and recaptures of unexpended\nobligations for the CPD Supportive Housing Program, Section 202 and 811 programs, and\nHUD\xe2\x80\x99s administrative and other program obligations were not always performed. As a result,\n$38.5 million in excess funds had not been recaptured, which, however, is a significant\nimprovement from past years. Our review also identified $100.6 million in unsupported\nobligations for predevelopment and low-rent development grants that had not been closed out, of\nwhich $76.6 million was identified in the prior year financial statement audit and remained open\nin fiscal year 2011. Lastly, our review identified $18.3 million obligated for 154 expired\nHousing Choice Voucher contracts.\n\n\n\n Administrative and Other\n Program Obligations\n\n               Annually, the CFO forwards requests for obligation reviews to HUD\xe2\x80\x99s\n               administrative and program offices. The focus of the review is on administrative\n               and program obligations that exceed threshold amounts established by the CFO.\n               The thresholds are calculated so that if all obligations above the thresholds are\n               reviewed, approximately 95 percent of HUD\xe2\x80\x99s total open obligations will have\n               been reviewed. For this year\xe2\x80\x99s review, the thresholds were set at $23,000 for\n               administrative obligations and $243,000 for program obligations. HUD identified\n               1,758 obligations with remaining balances totaling $65.3 million for deobligation.\n               We tested the 1,758 obligations HUD identified to determine whether the\n               associated $65.3 million had been deobligated in HUD\xe2\x80\x99s accounting systems. We\n               found that, as of September 30, 2011, a total of 93 obligations with remaining\n               balances totaling $1.7 million had not been deobligated. HUD had initiated the\n               process of closing these contracts, and the associated funding should be\n               recaptured in fiscal year 2012.\n\n                                               22\n\x0c     Supportive Housing Program\n     Contracts\n\n                  Our review of the obligation balances for the Office of Special Needs Assistance\n                  Programs (SNAPs) as of September 30, 2011, showed approximately $57.8\n                  million in undisbursed obligations recorded for expired contracts for Supportive\n                  Housing Program contracts. These contracts expired on or before June 30, 2011.\n                  CPD\xe2\x80\x99s funds control plan allows a 90-day closeout period for expired contracts.\n                  HUD regulations also state that HUD may authorize an extension for a recipient\n                  to complete the closeout process and liquidate all obligations incurred under the\n                  award.\n\n                  Field offices were responsible for reviewing the status of contracts and\n                  recommending that funds that have been obligated but not disbursed before the\n                  expiration of the contract be deobligated and included in the next notification of\n                  funding availability to be awarded to eligible grantees if they are deobligated\n                  during the unexpired phase of the budget authority.18\n\n                  During the fiscal year 2010 audit, OIG identified $97.8 million in unexpended\n                  balances on expired contracts which had not been closed out during the 90-day\n                  period. Additionally, OIG reported that SNAPs did not have an effective system\n                  of internal controls with published control activities that included specific\n                  policies, procedures, and mechanisms in place to help ensure that grants were\n                  closed out and remaining balances recaptured, including appropriate\n                  documentation of extensions granted and follow-up efforts with the grantees.\n\n                  During fiscal year 2011, SNAPs documented policies and procedures to review\n                  contracts approaching expiration to determine actions to take before the contracts\n                  expired, as well as review procedures after contract expiration. As of September\n                  30, 2011, SNAPs had reviewed the status of the $97.8 million identified in fiscal\n                  year 2010 audit and taken action to deobligate $77 million in unexpended\n                  balances on expired contracts. However, contracts that expired between July 1,\n                  2010 and June 30, 2011 were not closed out during the 90-day period leaving an\n                  additional $32 million19 in unexpended balances on expired contracts as of\n                  September 30, 2011.\n\n18\n   Period of availability for making disbursements: Under a general law, funds annual budget authority and\nmultiyear budget authority may disburse during the first two phases of the life cycle of the budget authority. During\nthe unexpired phase, the budget authority is available for incurring \xe2\x80\x95new\xe2\x80\x96 obligations. You may make \xe2\x80\x95new\xe2\x80\x96 grants\nor sign \xe2\x80\x95new\xe2\x80\x96 contracts during this phase, and you may make disbursements to liquidate the obligations. This phase\nlasts for a set number of years. Annual budget authority lasts for up to 1 fiscal year. Multiyear authority lasts for\nlonger periods, currently from more than 1 fiscal year up to 15 fiscal years, and no-year authority lasts indefinitely.\n19\n   SNAPs made efforts to deobligate $77 million, disbursed $1.7 million, and extended $1.2 million for a total of\n$79.9 million, leaving $17.9 million. As of September 30, 2011, SNAPs had identified an additional $7.9 million\nfor a total of $25.8 million in undisbursed balances on grants which expired before June 30, 2010. The $25.8\nmillion and the $32 million which expired between July 1, 2010, and June 30, 2011 result in the $57.8 million in\nundisbursed balances as of September 30, 2011.\n\n                                                          23\n\x0c             Due to the extensive backlog of expired contracts that expired before December\n             31, 2010, SNAPs\xe2\x80\x99 efforts were focused on deobligating the old balances and did\n             not concentrate effort and resources to the contracts that were expiring during\n             fiscal year 2011. SNAPs acknowledged that it would have to refocus and ensure\n             that it becomes current with the review process.\n\n             Excess funding on the $32 million from expired contracts identified during this\n             year\xe2\x80\x99s audit can be included in the next Continuum of Care competition, as\n             announced in the notice of funding availability, and redistributed to eligible\n             grantees. The excess funds should be recaptured and used to further accomplish\n             the objectives of the program, which are to reduce the incidence of homelessness\n             in Continuum of Care communities by assisting homeless individuals and families\n             in moving to self-sufficiency and permanent housing.\n\nSupportive Housing for the\nElderly and Disabled - Sections\n202 and 811 Programs\n\n             HUD\xe2\x80\x99s Sections 202 and 811 programs provide affordable housing and supportive\n             services for elderly families and families with disabilities. These programs\n             provide capital advances to private nonprofit organizations to finance the\n             construction of new facilities or the acquisition or rehabilitation of existing\n             facilities. The capital advance is interest free and does not have to be repaid if the\n             housing remains available for very low-income elderly or disabled families for at\n             least 40 years. After the facility has been constructed and occupied, HUD\n             provides additional project rental assistance contract funds to owners to cover the\n             difference between the HUD-approved operating cost for the project and the\n             tenants\xe2\x80\x99 contribution toward rents. Funds for the Section 202 and 811 programs\n             are also used to provide service coordinator grants, technical assistance, and\n             inspections. Generally, funds appropriated for Section 202 and 811 programs are\n             available for 3 years. After 3 years, the funds expire and will not be available for\n             obligation, thus necessitating the need to track funds obligated under the program.\n\n             At the beginning of fiscal year 2011, the Sections 202 and 811 programs had\n             unliquidated obligation balances of $3.1 billion and $838 million, respectively.\n             We reviewed the PAS subsidiary ledger supporting the unliquidated obligations to\n             determine whether unliquidated program obligations reported were valid and\n             whether invalid obligations had been cancelled and recaptured in PAS. Our\n             review identified 154 Section 202 and 811 projects with available obligation\n             balances totaling $4.8 million that had either expired or were no longer needed.\n             HUD had initiated the process of closing out these projects, and the associated\n             funding should be recaptured during fiscal year 2012. Additionally, the Office of\n             Housing Assistance and Grant Administration within HUD\xe2\x80\x99s Office of Housing,\n             is taking steps to improve the monitoring of the Section 202 and 811 unliquidated\n\n                                              24\n\x0c         obligations, including issuing instructions to the Hubs and Program Center\n         Directors to perform reviews on a semiannual basis, providing them with copies\n         of the updated funds control plans, and working with CFO Systems staff to ensure\n         expiration dates are entered for all Section 202 and 811 projects.\n\nPublic Housing Predevelopment\nGrant Programs\n\n\n\n         HUD\xe2\x80\x99s Office of Public Housing Investments, within the Office of Public and\n         Indian Housing (PIH), administers the Public Housing Capital Fund and\n         development grant programs which provides public housing agencies with funds\n         for development, financing, modernization, and management improvements.\n\n         As of April 2011, the Office of Public Housing Investments grants subsidiary\n         ledger contained 8,160 unliquidated obligations with remaining balances totaling\n         $3.9 billion. Our review of the Capital Funds unliquidated obligations focused on\n         170 grants funded with appropriations received before the enactment of the\n         Quality Housing Work and Responsibility Act of 1998. The obligations for these\n         grants were coded in HUD\xe2\x80\x99s general ledger with fund codes that indicated the\n         funds\xe2\x80\x99 source year as fiscal year 1996 or earlier. Additionally, the obligations\n         were recorded under program codes for predevelopment, development, and\n         technical assistance activities in HUD\xe2\x80\x99s grants management and disbursement\n         system, LOCCS.\n\n         Our fiscal year 2011 review identified 34 grants with remaining obligated\n         balances totaling $24 million that should have been closed out. Of these, 16 with\n         remaining balances totaling $12.8 million were predevelopment grants that had\n         been left on the books after the grant activities had been completed. There were\n         no cumulative disbursement records in LOCCS for these 16 predevelopment\n         grants. These grants had been transferred from an older system to LOCCS, and\n         there was no audit trail so the current balance could be verified. OIG Audit\n         Report 97-SF-107-0001 reported similar problems with the transfer of low-rent\n         development grants in 1996.\n\n         We also followed up on the status of the $174 million in invalid obligations for\n         434 grants from PIH\xe2\x80\x99s low rent program that were recommended for recapture in\n         our report on HUD\xe2\x80\x99s fiscal year 2010 financial statements. As of September\n         2011, there was $76.6 million obligated for 132 grants that had not been\n         recaptured. HUD\xe2\x80\x99s final action target date for the recapture of these funds is June\n         30, 2012.\n\n         The invalid obligations for the predevelopment grants and the low rent program\n         grant remained on HUD\xe2\x80\x99s books because PIH did not have a program office or\n         division responsible for administering them. There was also a lack of adequate\n\n                                         25\n\x0c         procedures for the review of the remaining balances obligated for these grants.\n         This condition led to difficulties in closing out the 132 remaining grants from our\n         fiscal year 2010 audit recommendation as the PIH field offices had not been able\n         to provide the documentation necessary for the grant closeouts and recapture of\n         remaining balances.\n\n         Last year, we recommended that the CFO develop desk procedures and perform\n         reconciliations to ensure that the unpaid obligations subsidiary records for\n         program grants accurately supports the general ledger balances. We reviewed the\n         CFO reconciliation of the unpaid obligations for appropriation 0304 as of\n         September 30, 2011. We noted that one grant for $2.3 million was repeated in\n         two portfolios and used twice to support the balance. Also, we noted a $2 million\n         reconciling item labeled \xe2\x80\x95Non-PAS Program\xe2\x80\x96 that was unsupported at the end of\n         audit field work. Lastly, the $76.6 million from the low rent program portfolio\n         containing invalid public housing grants that we identified and reported last year\n         was used to support the general ledger balance.\n\n         HUD\xe2\x80\x99s CFO relied on PIH to review and certify the validity of its program\n         obligations; however, it had no procedures in place to monitor or verify the\n         accuracy and completeness of PIH\xe2\x80\x99s unpaid obligations review. This condition\n         led to an overstatement of HUD\xe2\x80\x99s obligation balance by $100.6 million.\n\nSection 8 Housing Choice\nVoucher Contract Renewals\nObligations\n\n\n         Starting January 1, 2005, Congress changed the basis of the tenant-based Section\n         8 Housing Choice Voucher program funding from a \xe2\x80\x95unit-based\xe2\x80\x96 process to a\n         \xe2\x80\x95budget-based\xe2\x80\x96 process that limits the Federal funding to a fixed amount. Under\n         this legislation, HUD distributes Federal funding using a formula based on the\n         prior 12 months reported by housing agencies. HUD disbursed on a monthly\n         basis 1/12 of the annual funding allocated to the PHA, leaving no balance of\n         unpaid obligations after the 12-month period.\n\n         As of March 2011, the program\xe2\x80\x99s subsidiary ledger had a total of 7,740 unpaid\n         obligation contracts totaling $3.1 billion, which supported the program general\n         ledger unpaid obligation accounts that had accumulated since fiscal year 2005.\n         The data showed 1,123 contracts totaling $52 million in unpaid obligations that\n         were expired as far back as fiscal year 2005. We tested 40 obligation contracts\n         totaling $31 million (60 percent) and found that all were expired according to the\n         terms of their funding notification letters. At least 14 contracts amounting to $14\n         million related to Moving to Work Demonstration program (MTW) PHAs and 19\n         contracts amounting to $6 million related to regular Section 8 PHAs should be\n         have been deobligated years ago.\n\n\n\n                                          26\n\x0cPIH justifications for retaining MTW PHAs\xe2\x80\x99 contracts obligated were not\nsubstantiated by the MTW program director, whom was unaware about the funds\nobligation status. This lack of communication among the PIH offices regarding\nthe status of obligations in the Section 8 program affected HUD\xe2\x80\x99s ability to\nmaintain accurate accounting records. As of a result of our review, HUD\xe2\x80\x99s\nFinancial Management Center (FMC) proposed to process recaptures for the $14\nmillion MTW PHA contracts and the $6 million for other remaining contracts but\nhad not fully completed the process at yearend. As of September 2011, we noted\n154 expired contracts (including MTW PHAs) totaling $18.3 million that should\nhave been deobligated.\n\nIn regard to regular Section 8 Housing Choice Voucher program expired\ncontracts, we attribute this condition to PIH management\xe2\x80\x99s terminating the\nreviewing of program obligations, believing that obligated contracts were fully\ndisbursed, leaving no unpaid obligated balance after implementing the Section 8\nbudget-based funding methodology in 2005. Nevertheless, our review showed\nobligated contracts that had expired with outstanding balances that should be\ndeobligated.\n\n\n\n\n                               27\n\x0cSignificant Deficiency 3: Office of Community Planning and\nDevelopment\xe2\x80\x99s Internal Controls Over Monitoring Grantees\xe2\x80\x99\nCompliance With Program Requirements Were Not Operating\nEffectively\nCPD seeks to develop viable communities by promoting integrated approaches that provide\ndecent housing and a suitable living environment and expand economic opportunities for low-\nand moderate-income persons. The primary means toward this end is the development of\npartnerships among all levels of government and the private sector, including for-profit and\nnonprofit organizations. To carry out its mission, CPD uses a mixture of competitive and\nformula-based grants. OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Controls,\nrequires that management, and ultimately HUD\xe2\x80\x99s program offices implement an effective system\nof internal controls to ensure that grantees for which funds are provided meet their goals and\nobjectives and carry out the program in accordance with program requirements. These\nresponsibilities include developing and maintaining internal control activities that comply with\nstandards to meet the three objectives of internal control: (1) effectiveness and efficiency of\noperations, (2) reliability of financial reporting, and (3) compliance with applicable laws and\nregulations.\n\nIn carrying out its internal control responsibility of grantee oversight, management is responsible\nfor assessing the risk of grantee noncompliance with program regulations and developing control\nactivities which collect and distribute timely and relevant information to those charged with\nmaking informed decisions. Control procedures developed should be clearly communicated, be\nwritten, provide an audit trail, and be located where they can be obtained by those carrying out\nthe activities. Proper design of control activities is important, as is the collection and\ndissemination of timely and relevant information. However, effective use and proper analysis of\nthe information collected to facilitate timely follow-up on grantee deficiencies noted is equally\nimportant. Moreover, monitoring and evaluating the effectiveness of control procedures is\ncritical to ensure correction of internal control deficiencies before they materially affect the\nachievement of the program\xe2\x80\x99s and the organization\xe2\x80\x99s objectives and goals.\n\nBased upon our review of CPD\xe2\x80\x99s programs and internal controls implemented to monitor grantee\ncompliance with program regulations, we noted control deficiencies regarding the programs\xe2\x80\x99\ntimely action and follow-up with noncompliant grantees, as well as inadequate procedures to\nidentify noncompliant grantees. The combination of the control deficiencies noted during our\naudit have adversely affected the organization\xe2\x80\x99s ability to meet its internal control objectives,\nwhich are to not only determine grantee compliance with applicable laws and regulations, but to\nalso identify deficiencies in a timely manner and design and implement corrective actions to\nimprove or reinforce program participant performance.\n\n\n\n\n                                                28\n\x0cSubgrantees and Community\nHousing Development\nOrganizations for the HOME\nProgram Did Not Always\nExpend Grantee Funds in a\nTimely Manner\n\n          Our review of the HOME program found $16.3 million in unexpended grants\n          funded with no-year expiration funds and dated from 1992 through 2001; $9.9\n          million of the $16.3 million was uncommitted as of September 30, 2011. These\n          no-year funds had accumulated due to (1) poorly performing community housing\n          development organizations (CHDO) and subgrantees of the participating\n          jurisdictions that did not expend funds in a timely manner, (2) a cumulative\n          accounting process which allowed poor performance to go undetected, and (3) a\n          recapture policy for noncompliant participating jurisdictions that recaptured funds\n          from a current funding source. The $16.3 million in HOME grant funds were not\n          used to expand the supply of decent, safe, sanitary, and affordable housing for\n          low- and very low-income families.\n\n          In addition, our review showed $2.6 million in unexpended fiscal year 2004\n          HOME funds and $1.7 million in uncommitted funds. These funds, due to\n          provisions of the NDAA, were cancelled and remitted to the U.S. Treasury by the\n          Department on September 30, 2011.\n\n\n                                      Table 1\n                   Fiscal Year      Available To       Available To\n                                      Commit              Draw\n                 1992                     $40,324            $62,270\n                 1993                     357,438            655,751\n                 1994                     640,551          1,730,511\n                 1995                     911,566          1,340,591\n                 1996                     981,750          2,000,826\n                 1997                     578,613            945,841\n                 1998                  1,749,007           2,325,634\n                 1999                  1,557,579           1,882,625\n                 2000                     869,221          1,696,771\n                 2001                  2,288,614           3,707,930\n                 Subtotal              9,974,663          16,348,750\n                 2004                  1,707,640           2,574,731\n                 Grand Total         $11,682,303         $18,923,481\n\n\n          Current HOME program regulations state that funds not expended in a timely\n          manner can be reallocated in the next year\xe2\x80\x99s formula allocation to further the\n\n                                          29\n\x0cmission of the program. It is the field offices\xe2\x80\x99 responsibility to ensure that funds\nfrom fiscal years 2001 and earlier that were not spent in a timely manner were\nrecaptured and used in the next year\xe2\x80\x99s formula allocation.\n\nHOME program regulations did not penalize or highlight poorly performing\ngrantees, subgrantees, or CHDOs for two reasons.\n\n       First, CHDO subgranted or reserved funds and other subgranted funds\n       were held to the 5-year disbursement deadline, but it was the participating\n       jurisdiction that was ultimately responsible for meeting the disbursement\n       deadline. Therefore, compliance was monitored at the participating\n       jurisdiction\xe2\x80\x99s level. To that end, if a CHDO or subgrantee did not draw\n       down funds or complete projects in a timely manner, it could be masked\n       by other well-performing or over-performing CHDOs, subgrantees, or the\n       participating jurisdiction itself. In addition, it appears that the large\n       number of subgrantees and CHDOs per participating jurisdiction within\n       the HOME program and lack of field office staff made it difficult for the\n       field offices to sufficiently monitor the status of subgranted funds.\n\n       Second, the commitment, reservation, and disbursement deadlines were\n       determined on an aggregate or cumulative basis versus a grant-year basis.\n       This condition created a situation in which older funds remained available\n       for drawdown because compliance with the disbursement deadline was\n       determined cumulatively. Therefore, if a grantee was not performing as it\n       should or not spending funds to complete its projects, the cumulative\n       program requirements allowed a grantee\xe2\x80\x99s poor performance for 1 grant\n       year to remain undetected. As noted above, $11.6 million in funds was\n       uncommitted. The cumulative process allowed these funds to remain\n       uncommitted for almost 20 years, while the participating jurisdiction\n       remained compliant with the regulations during the compliance reviews.\n       In addition, if participating jurisdictions were found to be noncompliant,\n       the recapture process deobligated funds from current multiyear funding\n       sources and not the older no-year expiration funds, which also remained as\n       obligated balances.\n\nAs part of the fiscal year 2011 audit, OIG recalculated Jacksonville \xe2\x80\x93 Duval\nCounty\xe2\x80\x99s 2008 commitments based upon the commitments made only between\nthe date of the 2008 grant award and its October 31, 2010, deadline date. OIG\ndetermined that, based upon only applying the commitments made toward the\nparticipating jurisdiction\xe2\x80\x99s 2008 planned budget and actual commitments signed\nduring that 2-year period, the participating jurisdiction did not commit 100\npercent of its 2008 grant before the deadline and was short of the 100 percent\nrequirement by $464,715. Additionally, OIG reviewed the De Kalb County\nparticipating jurisdiction and determined that it fell short of committing $391,298\nbefore its June 30, 2011, deadline for its fiscal year 2009 grant. However, based\nupon HUD\xe2\x80\x99s cumulative technique, which allows the inclusion of commitments\n\n                                 30\n\x0c                for grants awarded prior to and subsequent to the grant year, neither participating\n                jurisdiction was considered to be non-compliant.\n\n                During the fiscal year 2009 audit,20 OIG recommended that CPD ensure that field\n                offices encourage participating jurisdictions to review the expiring funds report,\n                as well as the performance of CHDOs and subgrantees, to determine whether the\n                unused funds should be deobligated. We also recommended that CPD develop a\n                policy that would track expenditure deadlines for funds reserved and committed\n                to CHDOs and subgrantees separately.\n\n                However, as part of the fiscal year 2010 audit, CPD informed OIG that to rectify\n                this problem and in response to our recommendations, it contracted with an\n                independent company to modify IDIS21 so that one CHDO\xe2\x80\x99s or subgrantee\xe2\x80\x99s\n                funds under one participating jurisdiction could be used by another in the event of\n                untimely use of funds by another CHDO or subgrantee. CPD calls this process\n                \xe2\x80\x95true-FIFO.\xe2\x80\x96 CPD officials stated this process will keep unused funds from being\n                \xe2\x80\x95held\xe2\x80\x96 to one CHDO. HUD estimated that the proposed change in IDIS would\n                result in the drawdown of grant funds on a true-FIFO basis and would eliminate\n                the fiscal years 1992-2001 HOME grant balances in less than 1 fiscal year. The\n                project was expected to have been implemented by December 31, 2010.\n\n                OIG communicated to CPD that the implementation of \xe2\x80\x95true-FIFO\xe2\x80\x96 modifications\n                to IDIS were inappropriate and would further erode CPD\xe2\x80\x99s ability to monitor\n                actual performance by its participating jurisdictions and CHDOs and sufficiently\n                manage its grant funds and recommended that CPD suspend work pending\n                completion of a review of how appropriate compliant business processes could be\n                integrated into IDIS\xe2\x80\x99s programming.\n\n                CPD has delayed implementing the system changes until further instruction from\n                Management due to OIG\'s concerns. At the conclusion of the fiscal year 2011\n                audit, the recommendations from OIG from the 2009 and 2010 audit had not been\n                implemented, and $18.9 million remained undisbursed. OIG maintains its\n                position that the modifications prevent CPD from sufficiently managing its grant\n                funds and, thus, should be suspended.\n\n\n\n\n20\n   Audit Report number 2010-FO-003, \xe2\x80\x95Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2010\nand 2009 Financial Statements\xe2\x80\x96, issued November 15, 2010\xe2\x80\x96, Subgrantees and Community Housing Development\nOrganizations for the HOME Program Do Not Always Expend Grant Funds in a Timely Manner, identified $24.7\nmillion in undisbursed HOME funds on grants from 1992 through 2001.\n21\n   As a nationwide database, IDIS provides HUD with current information regarding the program activities\nunderway across the Nation, including funding data. HUD uses this information to report to Congress and to\nmonitor grantees. IDIS is the drawdown and reporting system for the four CPD formula grant programs: CDBG,\nHOME, ESG, and HOPWA and Recovery Act programs: CDBG-R, TCAP, and HPRP. The system allows grantees\nto request their grant funding from HUD and report on what is accomplished with these funds.\n\n                                                    31\n\x0c     Completed Projects for the HOME\n     Program Were Not Always Closed\n     Out in IDIS in a Timely Manner\n\n                  A review of the HOME program open activities report,22 dated September 30,\n                  2011, showed 6,994 of 21,121 open activities (33 percent), in which the\n                  participating jurisdiction had made its final draw but the activity was still listed on\n                  the report. Thus, these projects were not closed in the system, although all funds\n                  had been drawn. HOME program regulations required participating jurisdictions\n                  to enter project completion information into IDIS within 120 days of making a\n                  final draw for a project. A similar finding was reported by OIG during the fiscal\n                  years 2009 and 2010 audits.23\n\n                  The report also showed 307 activities which were funded between April 2000 and\n                  September 2010 that had a funded and remaining amount of $63.9 million, as no\n                  draws had been made against the activities since they were initially funded. The\n                  report further showed 190 activities funded between 1999 and 2009 wherein the\n                  percentage of amounts drawn on the activity was 50 percent or less. These\n                  activities had incurred no drawndowns on the funds since 2009 and had balances\n                  of $24 million still available for draw.\n\n\n                                                    Table 2\n                                                                      Number\n                                   Funding          Amount\n                                                                          of\n                                    year           remaining\n                                                                      activities\n                                   2000                $14,803                  2\n                                   2004                 40,000                  1\n                                   2007              3,459,218                  5\n                                   2008              2,084,863                  8\n                                   2009              7,431,133                21\n                                   2010             50,932,456               270\n                                   Total           $63,962,473               307\n\n\n\n\n22\n   The open activities report is issued monthly and used by CPD field offices and participating jurisdictions within\nthe HOME program to review open activities in IDIS. Open activities are those that have not been closed in the\nsystem.\n23\n   Audit Report number 2010-FO-003, \xe2\x80\x95Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2010\nand 2009 Financial Statements\xe2\x80\x96, issued November 15, 2010\xe2\x80\x96, Completed Projects for the HOME Program Not\nAlways Closed Out in IDIS in a Timely Manner, identified 5,972 of 29,216 projects (20 percent), in which the\nparticipating jurisdiction had made its final draw but the activity was still listed on the August 31, 2009, open\nactivities report.\n\n                                                         32\n\x0c                                              Table 3\n                                                             Number\n                              Funding        Amount\n                                                                Of\n                               Year         Remaining\n                                                             Activities\n                              1999                $3,614              1\n                              2000               116,264              2\n                              2001             1,011,025              6\n                              2002               462,728              9\n                              2003               563,849              6\n                              2004             1,358,092             10\n                              2005               729,547             13\n                              2006             1,739,786             25\n                              2007             6,976,759             35\n                              2008             8,315,926             56\n                              2009             2,764,160             27\n                              Total          $24,041,748           190\n\n               The open activities report also allows participating jurisdictions to view activities\n               that have been open for several years with little or no HOME funds drawn. Field\n               offices can use this report as a desk-monitoring tool to view each participating\n               jurisdiction\xe2\x80\x99s open activities in need of completion or possibly cancellation in\n               IDIS. If the report indicates that funds have not been drawn for an extended\n               period, the field office can use the report to follow up with the participating\n               jurisdiction to determine the reason for the slow progress on the project and\n               whether it should be cancelled.\n\n               However, it appeared that the field offices were not using the open activities\n               report to follow up with participating jurisdictions on slow-moving projects listed\n               on the report. It also appeared that participating jurisdictions were not using the\n               report as a reference to determine projects that should be cancelled or closed in\n               IDIS. The report was created to alleviate the widespread problem of participating\n               jurisdictions not entering project completion data into IDIS in a timely manner. A\n               similar finding was reported by OIG concerning HUD\xe2\x80\x99s needs to improve efforts\n               to require participating jurisdictions to cancel HOME fund balances for open\n               activities.24\n\n               As a response to the OIG findings, HOME published a new HOME FACTS\n               policy (HOME FACTS - Vol. 3 No. 1, June, 2010). The HOME FACTS\n               announces and explains the change in HUD\xe2\x80\x99s treatment of HOME activities with\n               commitments in the IDIS that are more than 12 months old with no funds\n               disbursed being automatically cancelled within the system. Additionally, HUD\n               reported that it would review the open activities report annually for stalled\n\n24\n  Audit Report number 2009-AT-0001, \xe2\x80\x95HUD Lacked Adequate Controls to Ensure the Timely Commitment and\nExpenditure of HOME Funds\xe2\x80\x96, issued September 28, 2009\n\n                                                  33\n\x0c          activities and follow up on them until resolution. However, the HOME FACTS\n          did not address participating jurisdictions entering completion data into IDIS in a\n          timely manner, nor did it address a system of internal controls, wherein control\n          activities would be established and implemented to ensure compliance and that\n          instances of noncompliance would be communicated to management in a timely\n          manner to effect change.\n\n          During the fiscal year 2011 audit, OIG noted that effective January 1, 2011,\n          activities were automatically cancelled by HUD. However, grantees were able to\n          reinstate and open activities which were cancelled through HUD\xe2\x80\x99s automated\n          cancellation process; hence, the September 30, 2011, report showed 307 old\n          activities funded before September 2010 which had not had any draws since they\n          were funded with an open status. In addition, the annual review for stalled\n          activities had not been implemented in a formal policy or completed. Projects\n          which appeared to be stalled remained \xe2\x80\x95open\xe2\x80\x96. CPD also did not explain the\n          cause for the stalled projects identified during fiscal year 2010 audit which\n          remained stalled in fiscal year 2011.\n\n          Participating jurisdictions that do not enter completion data in a timely manner are\n          in violation of the HOME regulations. Failure to enter project completion data in\n          IDIS negatively affects a participating jurisdiction\xe2\x80\x99s score on several HOME\n          performance SNAPSHOTS indicators, understating actual accomplishments and\n          reducing the participating jurisdiction\xe2\x80\x99s statewide and national overall rankings.\n\n          The widespread failure of participating jurisdictions to enter completion and\n          beneficiary data in a timely manner resulted nationally in underreporting of actual\n          HOME program accomplishments to Congress and OMB and may negatively\n          impact future funding for the program. Failure to cancel stalled or inactive\n          activities in a timely manner leaves unused funds committed to activities and\n          keeps them from being committed to new activities.\n\nFindings Cited During CPD\xe2\x80\x99s Onsite\nGrantee Monitoring Were Not\nFollowed Up and Closed in the\nGrants Management Process\nInformation System in a Timely\nManner\n\n          A review of several key elements of the grantee monitoring process established\n          under CPD\xe2\x80\x99s Office of Field Management revealed that the CPD field offices,\n          which are responsible for conducting monitoring reviews of CPD program\n          grantees, did not always follow the CPD Monitoring Handbook or the annual risk\n          assessment notice. The review also revealed that the Grants Management Process\n\n\n\n\n                                           34\n\x0c                 (GMP) information system25 was not always updated to reflect the current status\n                 of the monitoring reviews.\n\n                 We reviewed the risk analyses performed in accordance with CPD Notice 09-04,\n                 Implementing Risk Analyses for Monitoring Community Planning and\n                 Development Grant Programs in FYs [fiscal years] 2010 and 2011, and the\n                 monitoring activities in accordance with the CPD Monitoring Handbook. For 20\n                 of the 43 CPD field offices responsible for conducting the monitoring reviews, we\n                 reviewed a notification letter, a monitoring letter, and the field office\xe2\x80\x99s annual\n                 work plan. We selected a sample of 24 individual grantees within each of the 20\n                 field offices sampled and reviewed their individual work plans. Our review\n                 revealed that although the handbook requires it, (1) field offices did not always\n                 include an individual grantee monitoring strategy for a high-risk grantee or\n                 program, (2) one field office did not prepare an overall workplan for the fiscal\n                 year\xe2\x80\x99s monitoring strategy, (3) one field office excluded a grantee from the risk\n                 analysis process, (4) field offices did not send a notification letter to the grantee\n                 more than 14 days before the monitoring, (5) monitoring report letters were sent\n                 to the grantee after the 60-day deadline, (6) required exhibits were not always\n                 used, and (7) a required finding was not issued. A similar finding was reported in\n                 the fiscal year 2010 audit management letter.\n\n                 As part of the fiscal year 2011 audit, we reviewed a sample of open findings\n                 identified during the fiscal years 2006 through 2010 onsite grantee monitoring\n                 reviews conducted by the CPD field offices. Our review revealed that although\n                 required by the handbook, (1) HUD reviewers in the field offices did not\n                 document follow-up with a program participant when it did not meet the\n                 established target date, (2) field offices did not always send an additional letter if\n                 the program participant was nonresponsive to the first reminder, and (3) field\n                 offices did not respond to the program participant within the 30-day requirement\n                 to communicate the status of their finding after review of the documentation\n                 submitted by the program participant to attempt to close the finding. We found\n                 that responses ranged between 22 and 883 days.\n\n                 The deadlines and responsibilities outlined in the CPD Monitoring Handbook\n                 provide an effective system of monitoring internal controls. They include\n                 providing timely and relevant information to those charged with making decisions\n                 as well as timely follow-up for deficiencies identified. However, all field offices\n                 had not implemented the internal controls outlined in the handbook, which led to\n                 properly designed controls being ineffective. Not following the handbook\n                 prohibits the field offices from indentifying instances of noncompliance and\n                 potential fraud, waste, and abuse by program participants and prohibits the\n                 grantees from rectifying deficiencies in a timely manner.\n\n\n\n25\n  The GMP system is a computer-based information system that is used to provide a documented record of\nconclusions and results.\n\n                                                      35\n\x0cThe Office of Affordable\nHousing Did Not Adequately\nMonitor Grantees of the Tax\nCredit Assistance Program or\nDocument Their Compliance\nwith OMB Regulations\n\n        The Office of Affordable Housing Programs (OAHP) did not have adequate\n        internal controls in place to monitor Tax Credit Assistance Program (TCAP)\n        grantees for compliance with the program regulations or to ensure onsite\n        monitoring of the $2.082 billion disbursed of the $2.244 billion in grants awarded.\n        OAHP lacked staff, expertise, and funding to perform onsite monitoring reviews.\n        Compliance with program regulations, Federal requirements, and completion of\n        program goals were not monitored.\n\n        Although the TCAP grant agreements require grantees to monitor the grant-\n        supported activities to assure compliance with applicable Federal requirements\n        and that performance goals were achieved as a term of the grant agreement,\n        OAHP did not monitor grantees to ensure that they complied with the terms of the\n        grant agreement. Additionally, TCAP was explicitly excluded from CPD\xe2\x80\x99s\n        annual risk analysis for determining which grantees would be selected for onsite\n        monitoring, and no monitoring exhibits were developed for TCAP for onsite\n        monitoring reviews. OAHP indicated during the program\xe2\x80\x99s front-end risk\n        assessment that OAHP lacked staff expertise in the low-income housing tax credit\n        program, so monitoring for compliance was not feasible. Additionally, OAHP\n        lacked the staffing, and since no administrative funds were appropriated in the\n        TCAP legislation funding to administer and manage onsite monitoring of TCAP\n        grantees, OAHP did not have the funds necessary to conduct the onsite\n        monitoring.\n\n        Instead, OAHP indicated that it would rely on the controls in place at outside\n        entities; however, it did not ensure that the controls on which it relied were\n        operating effectively. It would also perform limited procedures remotely and\n        perform reviews of the Federal Audit Clearinghouse (FAC) for TCAP grantees\n        with findings and follow up on the findings indentified in the A-133 single audit\n        reports. However, there were no written procedures or policies in place to ensure\n        that the review of the Clearinghouse took place and proper follow-up measures\n        were completed in accordance with OMB Memorandum 10-14, Updated\n        Guidance on the American Recovery and Reinvestment Act. In addition,\n        evidence of OAHP\xe2\x80\x99s review of the FAC and follow-up procedures for findings\n        identified was not maintained, and OAHP did not demonstrate its compliance\n        with OMB Memorandum 10-14 regarding Federal agencies\xe2\x80\x99 requirements for\n        review and action on the A-133 single audit reports.\n\n\n\n                                        36\n\x0cOIG reviewed the FAC for TCAP A-133 single audit reports, which identified\nfindings during the audit and identified seven TCAP grantees. However, OAHP\nwas not able to provide OIG with documentation demonstrating that in\naccordance with OMB Memorandum 10-14, it had expeditiously reviewed and\nresolved the audit findings for the seven grantees within 6 months after the date\non which the FAC showed filing status as complete.\n\nOAHP\xe2\x80\x99s internal control procedures for monitoring TCAP grantees to determine\nwhether they have performed monitoring procedures in accordance with the terms\nof the grant agreements have not been adequately developed, documented or\nimplemented. In addition, OAHP has not adequately developed, documented or\nimplemented internal controls procedures for reviewing and resolving audit\nfindings identified in the OMB A-133 Single Audit Reports reported in the FAC,\nas required by OMB Memorandum 10-14.\n\n\n\n\n                                37\n\x0cSignificant Deficiency 4: HUD Needs To Improve Administrative\nControl of Funds\nHUD needs to improve its accounting and administrative controls of funds to ensure that (1) all\nprograms that incurred obligations or disbursements have acceptable funds control plans and (2)\nthe funds control plans are complete, accurate, updated and complied with by the program\noffices. During our review, we identified a number of program codes that did not have funds\ncontrol plans. Additionally, we noticed that funds control plans were not always updated to\nreflect all program codes and did not always include the correct appropriations. We also noted\nthat the Office of the Chief Financial Officer (OCFO) had not ensured the effective\nadministrative control of funds process as required by HUD\xe2\x80\x99s Policies Handbook 1830.2.\nIncomplete implementation of administrative control of funds has been a long-standing issue and\nhas been previously reported since fiscal year 2005 in our audit reports and management letters.\n\n\n\n Certain HUD Programs Were\n Operating Without Funds\n Control Plans and Funds\n Control Plans Were Not\n Complete and Accurate\n\n              The Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) of 1982 provides that\n              \xe2\x80\x95internal accounting and administrative controls of each executive agency shall be\n              established to ensure (1) obligations and costs are in compliance with applicable\n              law; (2) funds, property, and other assets are safeguarded against waste, loss,\n              unauthorized use, or misappropriation; and (3) revenues and expenditures\n              applicable to agency operations are properly recorded and accounted for to permit\n              the preparation of accounts and reliable financial and statistical reports and to\n              maintain accountability over the assets.\xe2\x80\x96\n\n              HUD\xe2\x80\x99s Policies Handbook 1830.2 set forth the authorities and responsibilities to\n              administer control of HUD\xe2\x80\x99s funds. The handbook states that Congress has\n              vested overall responsibility for establishing an effective administrative control of\n              funds process with the OCFO. It provides the internal guidance for the\n              preparation of the funds control plans to comply with the provisions of the\n              Antideficiency Act (ADA) and FMFIA as well as the overall process for\n              reviewing and approving the funds control plans. It states that before the CFO\n              can issue an advice of allotment to an allotment holder, he or she must provide (1)\n              certification of knowledge and acceptance of responsibility to assure that he or\n              she has established and will properly execute a funds control plan that provides\n              reasonable assurance that obligations and expenditures will not exceed the\n              authorized limits of the funds allotted to him or her and (2) submission of an\n              acceptable funds control plan. It also states that OCFO will conduct periodic\n              reviews of compliance with funds control plans to ensure that adequate funds\n              control is being applied in actual practice.\n\n                                               38\n\x0cHUD has established a program code to account for and record the use of HUD\xe2\x80\x99s\nfunds at the detail transaction level. Each program code must have an acceptable\nfunds control plan before it can incur the obligations and disburse the funds. One\nfunds control plan can cover more than one program code.\n\nDuring our fiscal year 2011 internal controls review phase, we reviewed 242\nprogram codes excluding the program codes associated with salaries and expenses\nfunds. We identified 151 program codes, with the fiscal year 2011 disbursement\ntotal of $1.8 billion, that did not have funds control plans or the funds control\nplans were not complete and accurate as follows:\n\n                                    Table 4\n                                   Fiscal Year 2011\n                 Number Of                              Fiscal Year 2011\n  Program                              Incurred\n                  Program                                Disbursement\n   Office                             Obligation\n                   Codes                                    Amount\n                                        Amount\n CPD                         26      $119,714,525.00      $104,017,458.09\n FHEO*                        2        10,915,354.54         2,483,583.43\n HSNG**                      70       896,693,039.53     1,406,572,994.93\n LBPA***                      2         3,034,169.98         1,207,549.77\n PDR****                      4                 0.00         3,026,965.49\n PIH                         45       157,391,136.28       251,498,961.10\n SHC*****                     2       101,607,851.69         4,626,566.88\n   Total                    151    $1,289,356,077.02    $1,773,434,079.69\n* FHEO = Office of Fair Housing and Equal Opportunity\n** HSNG = Office of Housing\n*** LBPA = Office of Lead-Based Paint Abatement\n**** PDR = Office of Policy Development and Research\n***** SHC = Self-Help Center\n\nNote: The numbers include total incurred obligation and disbursement for the full\n      fiscal year.\n\nAs a result of the missing or incomplete funds control plans, HUD did not\nadequately document its controls over approximately 2.6 percent of fiscal year\n2011 obligations and 3.2 percent of fiscal year 2011 disbursements. Without this\ndocumentation, HUD management does not have the assurance needed that the\npolicy, procedures, and systems in place can support the preparation of accounts\nand reliable financial and statistical reports and to maintain accountability fir the\nassets and ensure compliance with ADA and FMFIA.\n\nDuring our reconciliation with OCFO in August 2011, OCFO confirmed that 11\nof 151 program codes did not have funds control plans because either (1) the\nprograms were old (7 program codes), (2) the funds control plans had been in the\ndraft status since 2009 (3 program codes), or (3) the funds control plan had not\n                                    39\n\x0c          been received by OCFO (1 program codes). We could not find any statements in\n          HUD\xe2\x80\x99s Policies Handbook 1830.2 that allow HUD to not control the funds for\n          programs that are old or inactive. OCFO stated that the rest, 140 of 151 program\n          codes, did have funds control plans but they were not complete and accurate since\n          they did not contain any pertinent information concerning the subject program\n          codes including the appropriation amounts. We reviewed 140 program codes for\n          which OCFO claimed to have funds control plans and found that funds control\n          plans for 9 of 140 program codes had additional inaccuracies. HUD had\n          disbursed funds for these nine program codes to different appropriations than\n          those stated in the funds control plans.\n\n          Lacking a funds control plan for a specific program can cause confusion in\n          administering the controls of the specific funds and increase the risk for fraud and\n          ADA violations.\n\n\nHUD Needs To Ensure\nCompliance With Funds Control\nPlans\n\n          HUD\xe2\x80\x99s Policies Handbook 1830.2 states that OCFO will conduct periodic reviews\n          of compliance with funds control plans to ensure that adequate funds control is\n          applied in actual practice.\n\n          At the end of fiscal year 2011, HUD had a total of 167 approved funds control\n          plans as follows:\n\n                                       Table 5\n                                       Number Of Funds\n                            Office\n                                        Control Plans\n                           CPD                        65\n                           FHEO                        5\n                           HSNG                       33\n                           LBPA                        5\n                           PDR                         6\n                           PIH                        50\n                           SHC                         3\n                           Total                     167\n\n\n          During the fiscal year, OCFO perform funds control compliance assessments for\n          four offices: Office of Sustainable Housing and Communities (appropriation\n          0162), Public Housing Operating Subsidy (appropriation 0163), Asset\n          Management Technical Assistance (appropriation 0163), and Office of Housing\n\n                                           40\n\x0cTransformation Initiative \xe2\x80\x93 Technical Assistance (appropriation 0402). OCFO\ndid not performed funds control compliance assessments for one-third of the\napproved funds control plans in fiscal year 2011 as provided by its management\ndecision in response to the prior-year findings. As a result, it had not ensured the\neffective administrative control of funds process as required by HUD\xe2\x80\x99s Policies\nHandbook 1830.2.\n\n\n\n\n                                 41\n\x0cSignificant Deficiency 5: Continued Improvements Over the\nOversight and Monitoring of Subsidy Calculations, Intermediaries\xe2\x80\x99\nPerformance, and Utilization of Housing Choice Voucher and\nOperating Subsidy Program Funds Are Needed\nUnder the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds\nthrough various grant and subsidy programs to multifamily project owners (both nonprofit and\nfor profit) and housing agencies. These intermediaries, acting for HUD, provide housing\nassistance to benefit primarily low-income household and individuals (families) that live in\npublic housing, Section 8 and Section 202-811 assisted housing, and Native American housing.\nHUD spent $32 billion and $33 billion in FY 2010 and FY 2011 respectively to provide rent and\noperating subsidies that could benefit an estimated 5.38 million households.\nSince 1996, we have reported on weaknesses with the monitoring of the housing assistance\nprogram\xe2\x80\x99s delivery and the verification of subsidy payments. We focused on the impact these\nweaknesses had on HUD\xe2\x80\x99s ability to (1) ensure that intermediaries correctly calculated housing\nsubsidies and (2) verified tenant income and billings for subsidies. During the past several years,\nHUD has made progress in correcting this deficiency. From fiscal years 2002 to 2009, PIH used\ncomprehensive consolidated reviews to address PHAs\xe2\x80\x99 improper payments and other high-risk\nelements. In fiscal year 2010, PIH discontinued the comprehensive consolidated reviews and\nfocused most of its resources on the review of American Recovery and Reinvestment Act\n(ARRA) grants and other high-priority goals. In fiscal year 2010, HUD began implementing\nplans to comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA)\nand Presidential Executive Order 13520, Reducing Improper Payments issued in 2009.\nAdditionally, in consultation with OMB, HUD developed six supplemental measures for PIH and\nfour supplemental measures for the Office of Multifamily Housing to track and report on\nintermediaries\xe2\x80\x99 efforts for addressing improper payments.\n\nHUD demonstrated improvements in its internal control structure to address the significant risk\nthat HUD\xe2\x80\x99s intermediaries did not properly carry out their responsibility to administer assisted\nhousing programs in accordance with HUD requirements. HUD\xe2\x80\x99s increased and improved\nmonitoring resulted in a significant decline in improper payment estimates over the last several\nyears. However, HUD needs to continue to place emphasis on its onsite monitoring and\ntechnical assistance to ensure that acceptable levels of performance and compliance are achieved\nand periodically assess the accuracy of intermediaries\xe2\x80\x99 rent determinations, tenant income\nverifications, and billings.\nTenant income is the primary factor affecting eligibility for housing assistance, the amount of\nassistance a family receives, and the amount of subsidy HUD pays. Generally, HUD\xe2\x80\x99s subsidy\npayment makes up the difference between 30 percent of a household\xe2\x80\x99s adjusted income and the\nhousing unit\xe2\x80\x99s market rent or, under the Section 8 voucher program, a payment standard. The\nadmission of a household to these rental assistance programs and the size of the subsidy the\nhousehold receives depend directly on the household\xe2\x80\x99s self-reported income. However,\nsignificant amounts of excess subsidy payments occur because of errors in intermediaries\xe2\x80\x99 rent\ndeterminations and undetected, unreported, or underreported income. By overpaying rent\n\n\n                                                42\n\x0csubsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds\nthat could have been used to subsidize other eligible families in need of assistance.\n\n\n\n HUD\xe2\x80\x99s Gross Estimate of\n Erroneous Payments Slightly\n Increased in Fiscal Year 2010\n\n                  The estimate of erroneous payments that HUD reports in its Agency Financial\n                  Report (AFR) relates to HUD\xe2\x80\x99s inability to ensure or verify the accuracy of\n                  subsidy payments being determined and paid to assisted households. This year\xe2\x80\x99s\n                  contracted study of HUD\xe2\x80\x99s three major assisted housing programs estimated that\n                  the rent determination errors made by the intermediaries and intentional\n                  underreporting of income by the tenants resulted in substantial subsidy\n                  overpayments and underpayments. The study was based on analyses of a\n                  statistical sample of tenant files, tenant interviews, and income verification data\n                  for activity that occurred during fiscal year 2010.\n\n                  From the HUD study, we determined the total gross error of $95926 million,\n                  which represents 3.6427 percent of the rental housing assistance program\n                  expenditures tested. We found that HUD reported in the AFR a gross error rate of\n                  2.9 percent using the $32 billion total housing assistance expenditures reported in\n                  the fiscal year 2010 financial statements. However, the $32 billion includes $6\n                  billion in administrative fees and Moving to Work program subsidies. The $6\n                  billion is the difference between the more than $32 billion that HUD reported in\n                  fiscal year 2010 financial statements and the $26 billion in disbursements that we\n                  found to be attributable to the quality control and income match studies. Our\n                  calculation differs from HUD\xe2\x80\x99s because we excluded program expenditures for\n                  Moving to Work PHAs that were not included in the universe for testing (in\n                  HUD\xe2\x80\x99s Quality Control Study and Income Match Study) and administrative fees.\n                  For fiscal year 2011, we are reporting the 2010 improper payments projections\n                  and error without comparing the results to the previous years. The result this year\n                  is not comparable to the projections in the prior years.\n\n                  HUD continues to report a substantial amount of gross dollar erroneous payments\n                  in the rental housing assistance program. In fiscal year 2011, HUD reported in its\n                  AFR a combined gross improper payment estimate of $853 million in fiscal year\n                  2010. These estimated gross improper payments exclude the $106 million in\n                  billing errors. Furthermore, in its fiscal year 2010 AFR, HUD did not report the\n                  administrator error, income reporting error, or billing error for the Public Housing\n\n26\n  The $959 million is the sum of $650 million in administrative error plus $203 million income matching errors\nfrom the 2010 QC study plus $106 million billing errors not tested in fiscal year 2010 QC study.\n27\n  The 3.64 percent is calculated by dividing $959 million by $26 billion of total rental assistance program\nexpenditures tested by 2010 HUD\xe2\x80\x99s quality control study.\n\n                                                         43\n\x0c                  rental assistance program. Additionally, HUD did not report the billing error for\n                  the Section 8 Voucher program.28 The three elements of the payment error\n                  estimates reported by HUD in fiscal years 2010 and 2009 are provided in detail\n                  below.\n\n                           Administrator error29 - This error represents the program administrators\xe2\x80\x99\n                           failure to properly apply income exclusions and deductions and correctly\n                           determine income, rent, and subsidy levels. HUD reported a slight\n                           increase from $649 million in estimated gross erroneous payments due to\n                           administrator error in fiscal year 2010 to $650 million in fiscal year 2011.\n\n                           Income reporting error30 - This error represents the tenant beneficiary\xe2\x80\x99s\n                           failure to properly disclose all income sources and amounts upon which\n                           subsidies are determined. HUD reported $203 million in estimated gross\n                           erroneous payments in income reporting error in fiscal year 2011. This is\n                           a 6.7 percent decrease compared to prior-year estimates of $218 million.\n\n                           Billing error31 - This error represents errors in the billing and payment of\n                           subsidies between HUD and third-party program administrators, housing\n                           providers, or both. HUD did not conduct a billing study for fiscal year\n                           2010. However, in FY 2011 HUD reported $106 million gross erroneous\n                           payments using data for fiscal year 2004 for public housing and fiscal year\n                           2009 data for housing.\n\n     Initiatives To Mitigate Risks That\n     Contribute to Improper\n     Payments Should Be Continued\n\n\n                  Effective January 31, 2010, HUD required all public housing agencies and owners\n                  and management agents to use the Enterprise Income Verification (EIV) systems\n\n28\n   In FY 2007, HUD made structural changes in the Public Housing rental assistance program so that the Public\nHousing Operating Fund would be distributed by formula. According to HUD, this change effectively eliminated\nimproper payments due to administrator, income reporting, or billing errors for the Public Housing rental assistance\nprogram because the effect of these errors would be borne by the PHA and HUD\xe2\x80\x99s subsidy payment would remain\nunchanged. Starting in 2010, the Public Housing Operating Fund was no longer frozen; thus, HUD is reporting\nadministrator, income reporting, and billing error for the current year. For the Section 8 Voucher program, HUD\nimplemented budget-based funding in FY 2005, which eliminated billing errors in the program.\n29\n   The $649 million estimate for the 2009 study does not include $130 million in administrator error for the public\nhousing rental assistance program. The $650 million estimate for the 2010 study does not include $141 million in\nadministrative error as well.\n30\n   The $203M reported estimates in FY 2011 include the $80, $45, and $35 million, while $218M estimates\nreported in FY 2010 does not include $45 and $85 million in income reporting error for the Public Housing rental\nassistance program.\n31\n   The estimate of billing error only covers the Office of Housing\xe2\x80\x99s Section 8 multifamily project-based Section 202\nproject rental assistance projects (PRAC), Section 811 PRAC, and Section 202 project assistance contracts. HUD\ndoes not include the public housing rental assistance program or the Section 8 Housing Choice Voucher program in\nthe study used to determine the estimated erroneous payments due to billing error.\n\n                                                         44\n\x0cto verify the identity, employment, and income of program participants to\nimprove the eligibility and accuracy of income and rent determinations in the\nRental Housing Assistance Program (RHAP). PIH and the Office of Housing\nhave separate EIV systems, but they have similar designs according to HUD\xe2\x80\x99s\nOffice of Housing staff. The EIV systems are Web-based systems, which compile\ntenant income information and make it available online to HUD business partners\nto assist in determining accurate tenant income as part of the process of setting the\nrental subsidy. EIV matches tenant data against Social Security Administration\ninformation, including Social Security benefits and Supplemental Security\nIncome, and with the U.S. Department of Health and Human Services National\nDirectory of New Hires database, which provides information such as wages,\nunemployment benefits, and Internal Revenue Service form W-4 (\xe2\x80\x95new hires\xe2\x80\x96)\ndata, on behalf of PIH and multifamily housing programs. The EIV systems are\navailable to PHAs nationwide and to owner-administered project-based assistance\nprograms, and they are required to use the EIV systems in their day-to-day\noperations pursuant to 24 CFR (Code of Federal Regulations) 5.233.\n\nIn response to Presidential Executive Order 13520, PIH established six\nsupplemental measures to manage the risk from improper payments: (1) Public\nand Indian Housing Information Center (PIC) reporting rate, (2) EIV system\naccess rate, (3) EIV system usage rate, (4) failed identity verification rate, (5)\ndeceased single-member households, and (6) income discrepancy rate. Because\nPIH\xe2\x80\x99s EIV system relies on tenant data from PIC, the PIC reporting rate is an\nimportant supplemental measure. The other five supplemental measures are\nbased on reports from the EIV system and are potential risk factors for improper\npayments. In our fiscal year 2011 review of HUD\xe2\x80\x99s supplemental measures for\nimproper payments, we found that HUD generally complied with the IPERA\nrequirements. By August 2011, PIH completed the development of the strategy to\nidentify the most critical PHA\xe2\x80\x99s that showed the most income discrepancies and\nthe largest number of overdue tenant recertifications. Additionally, PIH was in\nthe process of implementing the electronic notification process for these PHAs.\nThe majority of administrator errors identified in the fiscal year 2010 quality\ncontrol report occurred in the Section 8 Housing Choice Voucher program, which\nis reported on by HUD as part of its estimate of gross erroneous payments. Two\nmajor sources of administrator error identified by the report were overdue tenant\nrecertification and verification errors. However, PIH had developed corrective\nactions to reduce the incidence of these two sources of error.\n\nIn response to the Executive Order 13520, the Office of Multifamily Housing\n(Housing) established four supplemental measures to manage the risk from\nimproper payments: (1) EIV access rate, (2) EIV usage rate, (3) failed identity\nverification rate, and (4) deceased single-member households. Housing derived\nthe EIV access rate and EIV usage rate through ad hoc reports. However, an EIV\naccess report and an EIV usage report were being developed, and the reports were\nexpected to be available by April 2012. Unlike PIH, Housing\xe2\x80\x99s supplemental\nmeasures did not track or report on income discrepancies at the 100 percent\n\n                                 45\n\x0c                threshold, as the tenant-income reporting error was one of the three major sources\n                of error for improper payments.\n\n                A recent OIG audit32 highlighted problems with Housing\xe2\x80\x99s oversight and\n                monitoring of Performance Based Contract Administrators (PBCA) due to\n                insufficient staff and travel funds. Housing relies on the Management and\n                Occupancy Reviews (MOR) conducted by the PBCAs to detect all three sources\n                of error for improper payments. Since the recommendations proposed by OIG are\n                still open for this audit, we cannot be certain that the issues elevated regarding\n                Housing\'s staffing and its oversight of PBCAs have been resolved. Housing has\n                been working on the development of the Integrated Subsidy Error Reduction\n                System (iSERS), which would collect data on specific errors in rental subsidy\n                calculations detected during MORs, but iSERS will not be operational until fiscal\n                year 2013 at the earliest.\n\n                HUD made substantial progress in taking steps to reduce erroneous payments.\n                We are encouraged by the ongoing actions to focus on improving controls\n                regarding income verification. However, as noted above, there are several areas\n                in which HUD needs to improve. In addition, PIH needs to continue addressing\n                administrator error through increased electronic remote and onsite monitoring as\n                needed and ensure that correct income and allowance amounts are used in rent\n                calculations. In the Office of Housing, there are insufficient staff and travel funds\n                to provide adequate oversight and monitoring of PBCAs, making reliance on the\n                MORs to detect erroneous payments by owners and management agents a\n                questionable strategy. Until these problems are resolved, Office of Housing staff\n                needs to review the EIV reports and MORs, following up with owners and\n                management agents.\n\nMonitoring Public Housing\nAgencies\xe2\x80\x99 Utilization of Section 8\nHousing Choice Voucher\nProgram Funds Has Improved\n\n\n                The Section 8 Housing Choice Voucher program is HUD\xe2\x80\x99s largest housing\n                assistance program, with an annual appropriation of $18 billion, and provides\n                assistance to around 2.1 million families. The annual appropriation acts require\n                HUD to distribute the full amount of funding appropriated using a formula based\n                on the housing agencies\xe2\x80\x99 self-reported prior-year costs reported in the Voucher\n                Management System (VMS). HUD expects PHAs to retain and use the funds\n                provided in their entirety for authorized program activities and expenses within\n                the time allowed. Program guidance states that any budgetary authority provided\n                to PHAs that exceeds actual program expenses for the same period must be\n                accounted for and maintained as restricted cash and made available for housing\n\n32\n  Audit report number 2009-SE-0003, \xe2\x80\x95HUD\xe2\x80\x99s Monitoring of the Performance-Based Contract Administrators Was\nInadequate\xe2\x80\x96, issued September 1, 2009\n\n                                                   46\n\x0cassistance. Although these funds are retained by the PHA, HUD relies on the\nPHAs to hold excess budgetary authority in reserve and make funds available for\nserving more families. According to HUD\xe2\x80\x99s monitoring systems, as of June 30,\n2011, PHAs\xe2\x80\x99 net restricted assets (NRA) accounts showed an estimated balance of\n$1.39 billion in excess funding.\n\nHUD\xe2\x80\x99s monitoring of PHAs\xe2\x80\x99 budgetary authority utilization is an essential\ninternal control to provide accountability of program resources and ensure that\nexcess funds are safeguarded and only used for authorized program activities.\nAccurate VMS cost data are essential to (1) correctly calculate the $18 billion in\nannual PHA budget allocations, (2) determine overutilization and underutilization\nof funds and excess budget authority available for unanticipated cost increases\nand budget offsets, and (3) evaluate PHAs\xe2\x80\x99 performance in ensuring that the\nmaximum numbers of families are served.\n\nIn prior years, we recommended that HUD increase its monitoring efforts\nregarding the excess budget authority, seek legislative authority to annually offset\nexcessive funding reserves, reconcile PHAs\xe2\x80\x99 accounting with HUD-estimated\nfunds to ensure that funds exist, and improve its onsite monitoring by including\nthe confirmation of excess budget authority as part of the VMS reviews.\n\nSince fiscal year 2009, HUD has addressed our audit recommendation to\nreconcile the PHAs\xe2\x80\x99 NRA account balances reported in the Real Estate\nAssessment Center\xe2\x80\x99s (REAC) Financial Assessment Subsystem-Public Housing\n(FASS-PH) against the HUD-estimated NRA balances based on VMS\nexpenditure data. During fiscal year 2010, the responsibility for completing the\nNRA reconciliations shifted from the FMC to the REAC FASS Team. The NRA\nestimation process had been improved as a result of the reconciliation initiative,\nand the use of audited financial data in FASS-PH and program data from VMS to\nsupport the NRA values. The resulting changes led to an increase in the\nrecognized value of the NRA held by PHAs. According to a report relying only\non VMS data, the total NRA held by PHAs as of December 31, 2009, was\napproximately $838 million. As a result of the reconciliation, that value was\ncorrected and increased to nearly $1.1 billion. Additionally, HUD developed a\nWeb tool for PHAs to use in projecting their future funding utilization and\nreserves balances.\n\nIn an attempt to control the excessive NRA accumulation, HUD included\nlanguage in its fiscal year 2011 congressional budget justification seeking\nauthority to reduce the budget allocation to those PHAs holding reserves\nexceeding 6 percent of their annual budget. This legislation was not approved\nduring the 2011 budget process. If the legislation had been approved, HUD\nwould have obtained permanent authority to perform budgetary offsets to those\nPHAs that are not maximizing the use of funds.\n\n\n\n\n                                 47\n\x0c          The total NRA account balances held by PHAs as of June 30, 2011, was $1.39\n          billion. Of that value we calculated that 1,891 PHAs held $1.01 billion in excess\n          of six percent of their annual budgetary authority representing the amount of\n          excess unused funds that could be recaptured (or offset) if the funds are still not\n          used by year-end.\n\n          PIH officials indicated that Congress was considering offsetting $350 to $750\n          million in unused reserves as part of the fiscal year 2012 appropriations bill.\n          However, based on our analysis, we recommend increasing the budget offset\n          request up to $820 million. Starting in fiscal year 2012, in a measure to safeguard\n          and reduce the risk of funds being misused, PIH plans to continue allocating the\n          entire amount appropriated by Congress but will scrutinize PHAs\xe2\x80\x99 reserves\n          quarterly and reduce or withhold disbursements to PHAs holding excessive\n          reserves until funding reserves decrease to acceptable levels. However,\n          depending on whether HUD obtains permanent authority to offset funding, HUD\n          could end accumulating and accounting for the PHAs\xe2\x80\x99 reserves withheld as\n          unpaid obligations. As a consequence, HUD must ensure that unpaid obligations\n          are accounted for and reported properly in HUD\xe2\x80\x99s financial statements. HUD\n          must review the unpaid obligations at least annually, deobligate any unneeded\n          undisbursed reserves amount assigned to PHAs during the budget allocation, and\n          present those unneeded reserves as unobligated balances in HUD\xe2\x80\x99s financial\n          statements.\n\n          Lastly, because the NRAs are held in PHA accounts, it is our belief that there is a\n          higher potential for waste, fraud, and mismanagement than if the funds were\n          controlled by HUD. Further, we are concerned that the existence of the NRA\n          account balance may affect the accuracy of HUD\xe2\x80\x99s financial reporting if the funds\n          allocated to PHAs are being treated as program costs, although the funds are not\n          being disbursed for program purposes in the current fiscal year.\n\nMonitoring of Public Housing\nAgencies\xe2\x80\x99 Utilization of\nOperating Subsidy Program\nFunds Had Weaknesses\n\n\n          The Public Housing Operating Fund provides operating subsidies to 3,137\n          housing authorities to assist in funding the operating and maintenance expenses of\n          their own dwellings in accordance with Section 9 of the U.S. Housing Act of\n          1937, as amended. The subsidies are required to help maintain services and\n          provide minimum operating reserves. The operating subsidy is authorized under\n          42 U.S.C. (United States Code) 1437g and the regulations under 24 CFR Part 990.\n          The regulations establish the eligibility requirements for a PHA to receive an\n          operating subsidy, explain the components of the subsidy formula, and describe\n          how the subsidy is disbursed to eligible recipients. In accordance with HUD\n          Financial Management Handbook 7475.1, PHAs are allowed to establish reserves\n\n                                           48\n\x0cfor such purposes and in such reasonable amounts as may be required in the\nprudent operation of the projects and as may be approved by the Government\nusing the operating receipts of the projects.\n\nThe operating subsidy is determined as the difference between formula expense\nand formula income. If a PHA\xe2\x80\x99s formula expense is greater than its formula\nincome, the PHA is eligible for an operating subsidy. Formula expense is an\nestimate of a PHA\xe2\x80\x99s operating expense and is determined using three components:\n(1) project expense level (PEL), (2) utility expense level (UEL), and (3) other\nformula expenses. Formula income is an estimate of a PHA\xe2\x80\x99s non-operating\nsubsidy revenue.\n\nDuring fiscal year 2011, we assessed HUD\xe2\x80\x99s funding allocation process for the\nOperating Subsidy program. Specifically, we wanted to determine whether HUD\nprudently determined the operating subsidies funding allocations needed in a\nreasonable manner. We found that HUD analyzed the PHAs\xe2\x80\x99 financial statements\ndata to monitor the program funding utilization and funding reserves accumulated\nover time. HUD records indicated that the total operating subsidy that HUD\nprovided to the PHAs in fiscal years 2009 and 2010 was $4.45 billion and $4.76\nbillion, respectively. Our analysis found that the total reserves held were\nequivalent to an entire year\xe2\x80\x99s worth of funding and appeared excessive. HUD\xe2\x80\x99s\ndata showed that as of the last financial statement, the PHAs\xe2\x80\x99 total operating\nreserves held was $4.06 billion.\n\nIncreases in Operating Subsidy reserves were due to three factors: (1) there were\ninaccuracies in the Information Management System (IMS)-PIC, which tracks\nPHAs\xe2\x80\x99 total number of units eligible and available for inclusion in funding\ncalculations; (2) the operating funding formula used multifamily housing project\ncost data to estimate the PHA project level cost for PHAs, and this variable did\nnot consider synergies obtained from PHAs managing larger projects; and (3) the\nformula funding process did not factor the actual cost and actual tenant income\nreported by the PHAs in FASS-PH. Making these comparisons would have\nhelped determine the actual need for funding, rather than allocating and\ndisbursing the total amount appropriated by Congress, and reduced the\naccumulation of reserves.\n\nHUD was aware of the problem and was working to perform up to a $1 billion\nnationwide offset if authorized by the fiscal year 2012 budget. However, the\nplanned budget offset only represents 25 percent of the total excess reserves.\nPHAs have $4.06 billion in total reserves, of which $1.89 billion is in excess of\nthe recommended 6-month operating reserves PHAs should maintain. In addition\nto the $1 billion that should be offset, there is a potential of an additional $890\nmillion in PHAs\xe2\x80\x99 accrued expenses and long term liabilities that constitute the\nremaining excess reserves that HUD needs to evaluate. If not needed HUD\nshould also include these funds in the request for a funding offset.\n\n\n\n                                49\n\x0cSignificant Deficiency 6: Controls Over HUD\xe2\x80\x99s Computing\nEnvironment Can Be Further Strengthened\nHUD\xe2\x80\x99s computing environment, data centers, networks, and servers provide critical support to\nall facets of HUD\xe2\x80\x99s programs, mortgage insurance, financial management, and administrative\noperations. In prior years, we reported on various weaknesses with general system controls and\ncontrols over certain applications, as well as weak security management. These deficiencies\nincrease risks associated with safeguarding funds, property, and assets from waste, loss,\nunauthorized use, or misappropriation.\n\nWe evaluated selected information systems\xe2\x80\x99 general controls of HUD\xe2\x80\x99s computer systems on\nwhich HUD\xe2\x80\x99s financial systems reside. We also followed up on the status of previously reported\napplication control weaknesses. Our review found information systems control weaknesses that\ncould negatively affect HUD\xe2\x80\x99s ability to accomplish its assigned mission, protect its data and\ninformation technology assets, fulfill its legal responsibilities, and maintain its day-to-day\nfunctions. Presented below is a summary of the control weaknesses found during the review.\n\n\n\n Security Management Program\n\n\n              HUD had continued its progress in implementing a comprehensive, entitywide\n              information system security program. Specifically, HUD had (1) created a new\n              Cyber Security Awareness and Training Program that addresses specialized security\n              roles and responsibilities, (2) issued a memorandum to the program offices\n              requesting confirmation of separate accounts for administrative and\n              nonadministrative duties, and (3) developed appropriate interconnectivity service\n              agreements and memorandums for contractor systems. Additionally, HUD had\n              provided corrective action plans that will address continuous monitoring, two-factor\n              authentication, and the user management identity management program.\n\n              Although HUD had made improvements, management attention is needed to ensure\n              that all individuals are properly trained on their security responsibilities before\n              allowing them continued access to information systems. Twenty six percent of\n              HUD employees accessing information systems had not taken security awareness\n              training during fiscal year 2011. Security awareness training is to be used by\n              organizations to inform users of the common goal of protecting information and\n              information technology-related resources of the agency.\n\n\n\n\n                                               50\n\x0c     Security Weaknesses in HUD\xe2\x80\x99s\n     Network Devices\n\n\n                During fiscal year 2010, we audited security controls over HUD\xe2\x80\x99s network devices33\n                to determine whether the security configurations implemented on the devices\n                provided adequate controls to prevent abuse or unauthorized access to HUD\xe2\x80\x99s\n                information resources. We evaluated security measures that protect HUD\n                information by scanning identified network devices and identifying vulnerabilities\n                and suspect configurations that place sensitive information at risk.\n\n                Security configurations implemented on HUD\xe2\x80\x99s network devices were weak.\n                Specifically, HUD did not (1) maintain a complete inventory of network devices, (2)\n                implement strong security configurations on network devices, and (3) implement\n                security configurations that sufficiently protected network paths. If HUD cannot\n                comprehensively identify devices within its network, it cannot determine when there\n                is unauthorized access to its network. An attacker could potentially exploit the weak\n                security configurations to obtain information on the network and gain access to\n                HUD\xe2\x80\x99s systems and sensitive information. Failure to securely configure network\n                devices and analyze information flow within a network increases the chances of\n                sensitive information disclosure occurring without detection.\n\n                We followed up on the status of these weaknesses during fiscal year 2011 and\n                determined that corrective actions had been implemented for most of these\n                weaknesses. HUD planned to complete corrective actions for the remaining\n                recommendation by December 2, 2011.\n\n     Preventive Maintenance Not\n     Performed for the IBM\n     Mainframe Operating System\n     and Database Software\n\n\n                HUD\xe2\x80\x99s information technology (IT) support contractor did not perform preventive\n                maintenance on the IBM mainframe system software34 to keep products up to date\n                and available for support and enhancements. Software patches were not always\n                installed, and software versions were not always upgraded to the minimum level that\n                is supported by IBM. At least one issue was identified due to software patches not\n                being applied as part of preventive maintenance. Specifically, during September\n                2009, the owner of the Tenant Rental Assistance Certification System requested\n                installation of the DB235 Connect Enterprise software to allow connectivity to the\n\n33\n   Audit report number 2010-DP-0004, \xe2\x80\x95Security Weaknesses on HUD\xe2\x80\x99s Network Devices,\xe2\x80\x96 issued September 30,\n2010\n34\n   Audit report number 2011-DP-0001, \xe2\x80\x95HUD Did Not Properly Manage HITS Contracts and Contractors To Fully\nComply With Contract Requirements and Acquisition Regulations,\xe2\x80\x96 issued October 6, 2010\n35\n   DB2 is a database management system.\n\n                                                    51\n\x0c                  DB2 databases on the IBM mainframe from applications based on other platforms.\n                  The request was approved, but the installation was delayed because software patches\n                  for the DB2 version 7.1 running on the IBM mainframe had not been installed up to\n                  the minimum supported level for processing with the new DB2 Connect Enterprise\n                  version 9.5 software. Also, DB2 version 7.1 had reached its end of support life36 as\n                  of June 30, 2008.\n\n                  In addition to the DB2 software, we found two other system software products\n                  that had reached or were close to reaching their end of support life. The CICS37\n                  software, used to support the online transaction processing on the IBM\n                  mainframe, was upgraded to CICS Transaction Server version 2.3 in June 2010,\n                  but had reached its end of support life in September 2009. Also, the z/OS\n                  mainframe operating system was upgraded in July 2010 from z/OS 1.7 to z/OS\n                  1.9, which reached its end of support life in September 2010.\n\n                  Preventive maintenance was not generated and distributed for products that had\n                  reached end of support life; therefore, preventive maintenance could not be\n                  performed to mitigate future potential problems as recommended by industry\n                  standards best practices. The use of system software, which was not maintained at\n                  the recommended level of service, could result in system outages, delays in service,\n                  and the inability to implement changes required by new initiatives or legislation.\n\n                  We followed up on the status of these weaknesses during fiscal year 2011 and\n                  determined that HUD had made progress in remediating these weaknesses. The\n                  z/OS operating system was upgraded, and CICS was scheduled for upgrade in\n                  November 2011. Additionally, HUD\xe2\x80\x99s IT support contractor included maintenance\n                  upgrades in the latest version of the MVS Implementation and Maintenance guide.\n                  HUD planned to complete corrective actions for these weaknesses by November 30,\n                  2012.\n\n\n      IBM Mainframe Libraries Not\n      Properly Managed\n\n\n                  In fiscal year 2010, we reported that HUD\xe2\x80\x99s IBM Mainframe z/OS38 authorized\n                  program facility (APF)39 libraries were not adequately controlled. We reviewed\n                  the IBM mainframe authorized libraries and identified weaknesses that left\n                  HUD\xe2\x80\x99s IBM mainframe vulnerable to unauthorized access. Three libraries were\n\n\n\n36\n   End of support life is when the vendor stops providing basic support (e.g., problem resolution, providing software\npatches, etc.) for a product.\n37\n   CICS is a transaction manager designed for rapid, high-volume online processing.\n38\n   z/OS is the computer operating system for IBM\'s z-Series 900 (z900) line of large (mainframe) servers.\n39\n   The authorized program facility is an IBM tool that limits the use of sensitive system services and resources to\nauthorized system and user programs.\n\n                                                         52\n\x0c                 not under CA Top Secret40 resource security protection.41 The resource level of\n                 protection is the most secure level of protection because it prevents programmers\n                 from linking into protected programs and files. Additionally, the APF list\n                 included the names of libraries that did not exist, increasing the risk that\n                 unauthorized programs could be inserted and executed in the IBM mainframe\n                 z/OS environment. This type of weakness could seriously diminish the reliability\n                 of information produced by all of the applications supported by the computer\n                 system and increase the risk of fraud and sabotage.\n\n                 We followed up on the status of this weakness during fiscal year 2011. We once\n                 again identified APF libraries that were not under CA Top Secret resource\n                 security protection. We determined that HUD\xe2\x80\x99s IT support contractor did not\n                 always follow the procedures in place for ensuring the APF libraries were\n                 properly controlled. Further, the support contractor did not always follow\n                 procedures for notifying ADP Security when adding libraries to the APF. Details\n                 of these findings will be included in our report for our fiscal year 2011 review of\n                 information systems controls in support of the financial statement audit to be\n                 issued in January 2012.\n\n     Disaster Recovery Grant\n     Reporting System\n\n                 In fiscal year 2009, we reported on selected controls within the Disaster Recovery\n                 Grant Reporting System (DRGR)42 related to Neighborhood Stabilization\n                 Program (NSP) funding. We found that (1) access control policies and\n                 procedures for DRGR violated HUD policy, (2) the system authorization to\n                 operate was outdated and based upon inaccurate and untested documentation, (3)\n                 the Office of Community Planning and Development (CPD) did not adequately\n                 separate the DRGR system and security administration functions, and (4) CPD\n                 had not sufficiently tested interface transactions between DRGR and LOCCS. As\n                 a result, CPD could not ensure that only authorized users had access to the\n                 application, user access was limited to only the data that were necessary for them\n                 to complete their jobs, and users who no longer required access to the data in the\n                 system had their access removed. Further, the failure to sufficiently test interface\n                 transactions between DRGR and LOCCS left HUD with limited assurance that\n                 the $5.9 billion in NSP funding would be accurately processed.\n\n                 During fiscal year 2011, HUD made additional progress toward resolving the\n                 issues identified in fiscal year 2009. HUD completed actions to address the\n\n\n40\n   CA-Top Secret is the software used on the IBM mainframe to secure resources from unauthorized exposure .\n41\n   Resource security protection prevents unauthorized updates to programs within the libraries.\n42\n   Audit Report No. 2009-DP-0007, Review of Selected Controls within the Disaster Recovery Grant Reporting\nSystem, issued September 30, 2009.\n\n\n                                                      53\n\x0c                weaknesses pertaining to system access controls, system documentation,\n                inadequate separation of duties, and insufficient testing of controls with LOCCS.\n\n                Additionally, we audited the DRGR system during fiscal year 201143 to determine\n                whether adequate controls were in place to safeguard, accurately track, and report\n                $1.93 billion in ARRA funds allocated to CPD\xe2\x80\x99s NSP2. We found that the\n                improvements CPD made to the DRGR system within the last year were\n                beneficial to the overall assurance that the system\xe2\x80\x99s data were properly\n                maintained, safeguarded, and in compliance with Federal regulations. However,\n                for HUD to address ARRA requirements for accurate data requirements,\n                additional improvements should be made to the DRGR system. We\n                recommended that CPD modify the DRGR system to improve its application\n                controls. Also, the DRGR system owner needs to coordinate with OCIO to\n                ensure that the (1) security documentation is updated, (2) contingency plan is\n                adequately tested, and (3) DRGR system is included in the annual disaster\n                recovery test as it is a mission-critical application.\n\n Integrated Disbursement and\n Information System\n\n                During our fiscal year 2010 review of information system controls,44 we found\n                that application controls for IDIS were not properly placed and operating\n                effectively. We noted the following deficiencies: (1) incompatible functions such\n                as system administration and security administration were not adequately\n                separated, and (2) there was no formal user recertification process to ensure that\n                all users were properly recertified.\n\n                We found that (1) HUD field office personnel were granted access to the data for\n                one grantee organization without oversight beyond the field office level, (2) field\n                office personnel were granted headquarters level access45 as part of the continuity\n                of operations plan without sufficient compensating controls, and (3) HUD users\n                with administrative access within IDIS were granted access to production data\n                within the application. These weaknesses existed because CPD designed IDIS\n                with decentralized security without adequate controls in place to ensure that the\n                overall security of the application remained within the control of HUD staff. By\n                not separating incompatible system administration and security responsibilities\n                and reviewing the continued appropriateness of access to the financial systems,\n                HUD increased its risk that sensitive financial data could be modified, disclosed,\n                or misused or that erroneous or fraudulent transactions would be processed.\n\n\n43\n   Audit Report No. 2011-DP-0008: The Disaster Recovery Grant Reporting System That Maintained Recovery Act\nInformation Had Application Security Control Deficiencies, issued July 28, 2011\n44\n   Audit Report No. 2011-DP-0004: Audit Report on the Fiscal Year 2010 Review of Information Systems Controls\nin Support of the Financial Statements Audit, issued January 14, 2011\n45\n   A user with headquarters administrative access has access to nationwide data within the application.\n\n                                                     54\n\x0c                   We also found that CPD did not require all users to sign and acknowledge the\n                   specific rules of behavior form created for the IDIS application. In addition, CPD\n                   did not implement a formal user recertification process for IDIS. Instead, CPD\n                   implemented controls within IDIS that allowed \xe2\x80\x95administrators\xe2\x80\x96 from the grantee\n                   organization the ability to edit the profiles for users with access to the data for that\n                   grantee. These controls, however, shifted the responsibility of user access to the\n                   grantee administrator. Proper access controls place the responsibility with HUD\n                   staff. This condition occurred because management in the CPD Systems Division\n                   was not aware that there was an IDIS-specific rules of behavior form. In addition,\n                   IDIS was designed with decentralized security controls, which did not ensure that\n                   overall security of the application remained within the control of HUD staff.\n                   Instead, \xe2\x80\x95administrators\xe2\x80\x96 from grantee organizations were given the ability to\n                   modify user access. By not implementing strong access controls, HUD cannot\n                   ensure that users have access to only the data that are necessary for them to\n                   complete their jobs. In addition, they are unable to ensure that only authorized\n                   users have access to the system and that users who no longer require access to the\n                   data in the system have had their access removed.\n\n\n HUD Procurement System\n\n\n                   We audited HUD\xe2\x80\x99s procurement systems in fiscal year 2006.46 Through actions\n                   taken during fiscal years 2007 through 2010, the Office of the Chief Procurement\n                   Officer (OCPO) had made progress toward resolving the issues identified during\n                   the audit. However, two significant recommendations remained open during\n                   fiscal year 2011. The procurement systems continued to be noncompliant with\n                   Federal financial management requirements. In addition, OCPO had not yet\n                   implemented functionality to ensure that there was sufficient information within\n                   HUD\xe2\x80\x99s current procurement systems to support the primary acquisition functions\n                   of fund certification, obligation, deobligation, payment, and closeout. During\n                   fiscal year 2011, OCPO worked to implement a replacement application for the\n                   current procurement systems. The HUD Integrated Acquisition Management\n                   System (HIAMS) will completely replace OCPO\xe2\x80\x99s legacy procurement systems,\n                   using a widely adopted acquisition management software system. Initial\n                   deployment of the application began in October 2011 and is planned for\n                   completion in January 2012.\n\n\n\n\n46\n     Audit Report No. 2007-DP-0003: Review of HUD\xe2\x80\x99s Procurement Systems, issued January 25, 2007\n\n                                                      55\n\x0cConfiguration Management\n\n\n                 During fiscal year 2010, we performed an audit of controls over selected\n                 configuration management (CM) activities within HUD.47 Although HUD had\n                 processes and procedures for managing the configurations of systems in HUD\xe2\x80\x99s\n                 computing environment, those procedures were not always followed. HUD\xe2\x80\x99s help\n                 desk application was not approved by the Configuration Change Management\n                 Review Board48 (CCMB), although the application had been in use since 2007.\n                 As a result of our audit, the CCMB did approve the application as a HUD\n                 standard. Additionally, a software tool for use in the CM for source code and\n                 other software development assets went through multiple pilot tests without prior\n                 CCMB approval. Compounding the issue, OCIO\xe2\x80\x99s Office of Enterprise\n                 Architecture determined in November 2007 that the tool would not meet user\n                 needs and would not be cost effective.\n\n                 We also reviewed CM plans for the eTravel system and IDIS Online to determine\n                 whether they were kept up to date. The CM plans for each system did not include\n                 all required information or contained outdated information for the areas of system\n                 overview, project references, roles and responsibilities, and supporting group\n                 contact information. In addition, the eTravel CM plan did not include sections\n                 such as baseline identification, measurements, configuration status accounting,\n                 configuration management libraries, release management, and configuration\n                 audits.\n\n                 As part of our fiscal year 2011 audit, we reviewed the CM plan and selected\n                 controls for the DRGR system. The DRGR CM plan also did not include required\n                 information and contained outdated information. In addition, we identified\n                 weaknesses related to the DRGR testing environment and required testing\n                 documents. Details of these findings will be included in our report for our fiscal\n                 year 2011 review of information systems controls in support of the financial\n                 statement audit to be issued in January 2012.\n\nContingency Planning and\nPhysical Security\n\n                 In fiscal year 2009, we found that disaster recovery exercises did not fully test\n                 system functionality because critical applications were not verified through\n                 transaction and batch processing and the exercises did not include recovery of all\n                 applications that interface with the critical systems. By not having current\n\n47\n   Audit Report Number 2011-DP-0006, \xe2\x80\x95HUD\xe2\x80\x99s Controls Over Selected Configuration Management Activities\nNeed Improvement\xe2\x80\x96, issued March 24, 2011\n48\n   The CCMB was established to ensure that all changes made to the HUD IT infrastructure and system development\nplatforms take place through a rational and orderly process.\n\n                                                      56\n\x0c          information in the disaster recovery plan and fully testing system functionality\n          during disaster recovery exercises, HUD could not ensure that its systems and\n          applications would function as intended in an actual emergency.\n\n          We also determined that sensitive data stored on backup tapes, transported and\n          stored offsite, were not adequately protected. HUD\xe2\x80\x99s information IT support\n          contractor is required to create backup tapes of HUD\xe2\x80\x99s mission-critical data and\n          store the backup tapes at an offsite storage facility. These backup tapes are\n          created for use in contingency operations and disaster recovery events and\n          exercises. However, during the 2009 disaster recovery exercises, we observed\n          that backup tapes from the offsite storage facility were not in encrypted form.\n          HUD planned to include requirements to fully test system functionality during\n          disaster recovery exercises and encrypt backup tapes being transported to and\n          from the offsite storage facility in the next IT support contract.\n\n          For fiscal year 2011, we evaluated physical security controls at HUD\xe2\x80\x99s data\n          centers. We determined that weaknesses existed with regard to access to sensitive\n          areas within the data center. Specifically, temporary access to the computer room\n          for a special project was not removed upon completion, an obsolete job function\n          (phased out in March 2011) was on the access list to the computer room, and\n          reviews of the access list for individuals with physical access to sensitive areas\n          within the data center were not performed regularly and results of reviews were\n          not documented. Access to sensitive areas allows individuals to be in direct\n          physical contact with data center equipment such as the hardware, network\n          equipment, cables and power cords, and physical storage media containing large\n          amounts of electronic information. Inadequate controls over access to sensitive\n          areas within the data center facility could lead to equipment damage, data loss,\n          equipment downtime, theft and sabotage of equipment, and unintentional\n          wrongdoing by personnel. HUD provided explanations for the weaknesses\n          identified, and plans to revise procedures to ensure that review of access to\n          sensitive areas properly includes documenting the date and results of the reviews.\n\nFHA Information Technology\nWeaknesses\n\n\n          In fiscal year 2011, FHA\xe2\x80\x99s independent public auditor (IPA) reported as a significant\n          deficiency that the information security control over FHA systems related to security\n          and access controls, as well as in configuration management and contingency\n          planning, were deficient. The report noted the following information security\n          weaknesses by control area:\n\n          Security Management\n\n              HUD\xe2\x80\x99s IT security policies and procedures had not been updated to\n              comply with the National Institute of Standards and Technology (NIST)\n\n                                           57\n\x0c   Special Publication (SP) 800-53 Revision 3, Recommended Security\n   Controls for Federal Information Systems and Organizations.\n\n   The system security plans for FHA applications and general support\n   systems were not being reviewed and updated in accordance with HUD\n   policy or NIST standards.\n\n   Vulnerability scanning practices did not agree with written HUD policy,\n   and identified vulnerabilities were not being tracked for remediation.\n\n   Specialized security training required by HUD policy and NIST\n   standards was not being monitored and enforced.\n\n   Agreements for external information systems and interface control\n   documentation were not being maintained in accordance with HUD\n   policy and NIST standards.\n\nAccess Control\n\n   Management of user accounts was not being performed in accordance\n   with HUD policy and NIST standards.\n\n   Password and security parameter settings were not being consistently\n   applied in accordance with HUD policy.\n\n   Remote access authentication did not meet HUD policy and was not in\n   compliance with NIST standards.\n\n   Inactive user accounts were not always deactivated as required by HUD\n   policy and in compliance with NIST standards.\n\nConfiguration Management\n\n   Standard baseline configuration policies for FHA\xe2\x80\x99s general support\n   systems were not fully documented and implemented in accordance with\n   HUD policy and NIST standards.\n\nContingency Planning\n\n      Systems supporting critical operations were not consistently\n      identified and tested in accordance with HUD policy and in\n      compliance with NIST standards.\n\n      Contingency plans for certain systems were incomplete or not\n      updated in accordance with HUD policy and NIST standards.\n\n\n\n                               58\n\x0cMany of these weaknesses were observed and reported in prior FHA audits and\nmanagement letters. FHA tracks actions to improve controls using corrective action\nplans and plans of action and milestones. While these plans often result in\nimprovements to the specific system weaknesses reported, the IPA found that the\nweaknesses had not been remediated. Further, it found the same type of weaknesses\nwhen it examined different systems. This finding indicated that the root causes of\nthe deficiencies were not being effectively addressed for all systems. The IPA\xe2\x80\x99s\nrecommendations requested FHA to work with HUD OCIO to resolve these long-\nstanding issues.\n\n\n\n\n                                59\n\x0cSignificant Deficiency 7: Weak Personnel Security Practices\nContinued To Pose Risks of Unauthorized Access to HUD\xe2\x80\x99s Critical\nFinancial Systems\nFor several years, we have reported that HUD\xe2\x80\x99s personnel security practices regarding access to\nits systems and applications were inadequate. Deficiencies in HUD\xe2\x80\x99s IT personnel security\nprogram were found, and recommendations were made to correct the problems. However, the\nrisk of unauthorized access to HUD\xe2\x80\x99s financial systems remains a critical issue. We followed up\non previously reported IT personnel security weaknesses and deficiencies and found that\ndeficiencies still existed.\n\n\n\n     HUD Did Not Have a Central\n     Repository Listing of All Users\n     With Access to HUD\xe2\x80\x99s General\n     Support and Application\n     Systems\n\n\n                 Since 2004, we have reported that HUD did not have a complete list of all users\n                 with greater than read access at the application level. Those users with greater\n                 than read access to sensitive application systems are required to have a\n                 background investigation. Our review this year found that HUD still did not have\n                 a central repository that listed all users with greater than read access to HUD\xe2\x80\x99s\n                 general support and application systems.\n\n                 While HUD\xe2\x80\x99s implementation in 2007 of the Centralized HUD Account\n                 Management Process (CHAMP) was a step toward improving its user account\n                 management practices, CHAMP remained incomplete and did not fully address\n                 OIG\xe2\x80\x99s concerns. Specifically, we noted that\n\n                        CHAMP did not contain complete and accurate data. OCIO did not\n                        electronically update CHAMP with data from the HUD Online User\n                        Registration System. Instead, it chose to enter the legacy data manually.\n                        However, this process had not been completed. In a January 2009 audit\n                        report,49 we recommended that all offices within HUD provide the historical\n                        information necessary to update CHAMP. OCIO agreed with our\n                        recommendation, and corrective action was scheduled for completion in\n                        December 2009. We followed up on this recommendation and found that as\n                        of September 30, 2011, OCIO had not completed entering user access data\n                        into CHAMP for all of HUD\xe2\x80\x99s systems. Information provided by OCIO\n                        showed that user data had been entered into CHAMP for only 112 systems.\n\n49\n  Audit report number 2009-DP-0003, \xe2\x80\x95Review of the Centralized HUD Account Management Process\xe2\x80\x96, issued\nJanuary 9, 2009\n\n                                                   60\n\x0c                        As of September 16, 2011, HUD\xe2\x80\x99s inventory of automated systems\n                        contained 208 active systems.\n\n                        HUD did not conduct a security categorization and a risk assessment for\n                        CHAMP as required by Federal Information Processing Standards\n                        Publications 199 and 200. HUD\xe2\x80\x99s OCIO chose not to do so because it\n                        believed that these items were not required for CHAMP, which it considered\n                        to be a process rather than a system. HUD also believed that since CHAMP\n                        was exclusively owned by its IT contractor, it was not subject to these\n                        requirements. Without a security categorization and risk assessment of\n                        CHAMP, HUD cannot know the full extent of risks to which the CHAMP\n                        process is vulnerable or whether adequate levels of security controls have\n                        been put into place to protect data and applications impacted by CHAMP. In\n                        the January 2009 audit report, OIG recommended that OCIO conduct a\n                        security categorization and a risk assessment for CHAMP. OCIO agreed\n                        and originally expected to complete this task by August 31, 2009, but did not\n                        do so. We followed up on this recommendation and found that a contract\n                        was awarded on August 2, 2011, to perform the certification and\n                        accreditation for 30 systems, including CHAMP. However, due to the\n                        contract delay, OCIO was expecting to complete it by December 31, 2011.\n\n     Lack of Reconciliations To\n     Identify Sensitive System Users\n     Without Appropriate\n     Background Investigations\n     Remains a Concern\n\n                 In prior audits, we found that HUD did not routinely identify users with greater\n                 than read access to HUD sensitive systems that had not undergone appropriate\n                 background checks. Granting people access to HUD\xe2\x80\x99s information and resources\n                 without appropriate background investigations increases the risk that unsuitable\n                 individuals could gain access to sensitive information and inappropriately use,\n                 modify, or delete it. HUD\xe2\x80\x99s Personnel Security Division is required to reconcile\n                 listings of users with above-read access to HUD\xe2\x80\x99s sensitive systems to the\n                 database containing background investigation information to ensure that each user\n                 has had the appropriate background investigation. In our May 2010 audit report,50\n                 we recommended that HUD develop and implement a plan to routinely perform\n                 the quarterly reconciliation of users with above-read access to sensitive systems\n                 and general support systems to identify those without appropriate background\n                 investigations. However, no reconciliations were performed for fiscal year 2011.\n\n                 We have reported since 2006 that the list of sensitive systems to be included in\n                 the reconciliation was incomplete. In response to a recommendation in our fiscal\n\n50\n Audit report number 2010-DP-0002, \xe2\x80\x95Audit Report on the Fiscal Year 2009 Review of Information Systems\nControls in Support of the Financial Statements Audit,\xe2\x80\x96 issued May 14, 2010\n\n                                                    61\n\x0c                year 2008 audit report,51 OCIO planned to update the sensitive system list by\n                April 30, 2010. OCIO recently provided clarification that HUD had 15 systems\n                that were considered sensitive because of the financial and personally identifiable\n                information they contained. However, the original condition still existed; only\n                one system was required to be included in the reconciliation.\n\n                In fiscal year 2007, we first reported that the general support systems on which\n                HUD\xe2\x80\x99s mission-critical and sensitive applications resided were not included in the\n                reconciliations because they were not classified as mission critical.52 Granting\n                people access to general support systems without appropriate background\n                investigations increases the risk that unsuitable individuals could gain access to\n                sensitive information and inappropriately use, modify, or delete it. We\n                recommended that the Office of Security and Emergency Planning update its\n                policies and procedures to include users of HUD\xe2\x80\x99s general support systems in the\n                user access reconciliation process. The Personnel Security and Suitability\n                Handbook was updated in September 2009 but did not include language requiring\n                general support systems to be included in the reconciliation process. Having\n                access to general support systems typically includes access to system tools, which\n                provide the means to modify data and network configurations. We previously\n                identified IT personnel, such as database administrators and network engineers,\n                who had access to these types of system tools but did not have appropriate\n                background checks. These persons were not identified as part of the\n                reconciliation process. This issue still existed during fiscal year 2011.\n\n\n\n\n51\n   Audit report number 2009-DP-0004, \xe2\x80\x95Fiscal Year 2008 Review of Information Systems Controls in Support of\nthe Financial Statements Audit,\xe2\x80\x96 issued May 29, 2009\n52\n   Audit report number 2008-DP-0003, \xe2\x80\x95Fiscal Year 2007 Review of Information Systems Controls in Support of\nthe Financial Statements Audit,\xe2\x80\x96 issued March 4, 2008\n\n                                                     62\n\x0c                    Compliance With Laws and Regulations\n\nIn fiscal year 2011 we found instances where HUD did not ensure transactions were executed in\naccordance with laws governing the use of budget authority and with other laws and regulations\nthat could have a direct and material effect on the financial statements and any other laws,\nregulations, and government wide policies identified in OMB audit guidance.\n\n\n\nHUD Did Not Substantially Comply With the Federal Financial Management\nImprovement Act\n\nFFMIA requires auditors to report whether the agency\xe2\x80\x99s financial management systems\nsubstantially comply with the Federal financial management systems requirements and\napplicable accounting standards and support the USSGL at the transaction level. We found that\nHUD was not in substantial compliance with FFMIA because CPD\xe2\x80\x99s IDIS grant information\nsystem was not in compliance with Federal GAAP, FFMIA, and its internal controls over\nfinancial reporting as well as HUD\xe2\x80\x99s financial management systems\xe2\x80\x99 noncompliance with\nFederal financial management system requirements.\n\nDuring fiscal year 2010, we found that CPD\xe2\x80\x99s IDIS was determined to be noncompliant with\nFFMIA due to deficiencies in internal controls over financial reporting and its ability to process\ntransactions that would follow Federal GAAP. These deficiencies were described in detail in\nSignificant Deficiency 1: HUD Financial Management Systems Did Not Comply With the\nFederal Financial Management Improvement Act of 1996 (FFMIA) of the prior-year report.\n\nHUD on an entitywide basis made limited progress as it attempted to address its financial\nmanagement deficiencies to bring the agency\xe2\x80\x99s financial management systems into compliance\nwith FFMIA. Deficiencies remained as HUD\xe2\x80\x99s financial management systems continued to not\nmeet current requirements and were not operated in an integrated fashion and linked\nelectronically to efficiently and effectively provide agencywide financial system support\nnecessary to carry out the agency\xe2\x80\x99s mission and support the agency\xe2\x80\x99s financial management\nneeds.\n\nHUD was not in full compliance with OMB Circular A-127. The circular requires each agency\nto perform reviews of its financial management systems. However, HUD did not complete any\nOMB Circular A-127 reviews in fiscal year 2011. HUD is also required to maintain financial\nmanagement system plans for each of their financial management applications. We determined\nthat HUD\xe2\x80\x99s financial management systems plan document for fiscal year 2011 did not meet the\nrequirements specified in the circular.\n\n\n\n\n                                                63\n\x0c     Federal Financial Management\n     System Requirements\n\n\n                In its Fiscal Year 2011 Agency Financial Report, HUD reported that 3 of its 41\n                financial management systems did not comply with the requirements of FFMIA\n                and OMB Circular A-127, Financial Management Systems. Although 38\n                individual systems had been certified as compliant with Federal financial\n                management systems requirements, HUD performed only one OMB Circular A-\n                127 review (FHA-SL) in the last two years and relied upon the results of OMB\n                Circular A-123 and FISMA annual internal control reviews for individual\n                applications. For the past two years, HUD has reported the ongoing OMB\n                Circular A-127 evaluation of one core system, Federal Housing Administration\n                Subsidiary Ledger (FHA-SL). Since the final report for the A-127 evaluation\n                performed is not expected to be completed until December 2011, HUD continues\n                to be noncompliant.\n\n                Additionally, in fiscal year 2010 OIG reported that IDIS was noncompliant with\n                the requirements of OMB Circular A-12753. However, HUD continues to report\n                IDIS as compliant54. Further, in fiscal year 2011, OIG determined that CPD\xe2\x80\x99s\n                financial management systems did not meet the computer system requirements of\n                OMB A-127. Specifically, OIG determined that the DRGR program office\xe2\x80\x99s\n                application security management program had weaknesses. The weaknesses in\n                DRGR are identified in Significant Deficiency 1: HUD Financial Management\n                Systems Do Not Fully Comply With Federal Financial Management System\n                Requirements. Therefore, collectively and in the aggregate, deficiencies\n                continued to exist.\n\n                We continue to report as a significant deficiency that HUD financial management\n                systems need to comply with Federal financial management systems\n                requirements. The significant deficiency addresses how HUD\xe2\x80\x99s financial\n                management systems remained substantially noncompliant with Federal financial\n                management requirements.\n\n                FHA\xe2\x80\x99s auditor reported as a noncompliance that FHA\xe2\x80\x99s financial management\n                infrastructure was comprised of many aging information systems developed over\n                the last 30 years that were connected to each other, customers, and the general\n                ledger through hundreds of electronic interfaces. FHA\xe2\x80\x99s auditor stated that this\n                complex and outdated infrastructure was becoming increasingly difficult and\n\n53\n   Audit Report 2011-FO-0003, Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2010 and\n2009 Financial Statements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with\nthe Federal Financial Management Improvement Act of 1996 (FFMIA).\n54\n   See Appendix C of this report\n\n                                                    64\n\x0c           costly to maintain. FHA\xe2\x80\x99s auditor reported that these limitations impacted FHA\xe2\x80\x99s\n           ability to \xe2\x80\x95continue to operate in an effective and efficient manner\xe2\x80\x96 and to support\n           its \xe2\x80\x95changing business practices\xe2\x80\x96 as required by OMB Circular No. A-127,\n           Financial Management Systems. FHA had also implemented many expensive and\n           manual compensating controls to ensure the reliability of its day-to-day financial\n           reporting.\n\n           We also continue to report as significant deficiencies that (1) controls over HUD\xe2\x80\x99s\n           computing environment can be further strengthened and (2) weak personnel\n           security practices continue to pose risks of unauthorized access to HUD\xe2\x80\x99s critical\n           financial systems. These significant deficiencies discuss how weaknesses with\n           general controls and certain application controls and weak security management\n           increase risks associated with safeguarding funds, property, and assets from\n           waste, loss, unauthorized use, or misappropriation.\n\n           We have included the specific nature of noncompliance issues, responsible\n           program offices, and recommended remedial actions in appendix C of this report.\n\n\nHUD Did Not Substantially Comply With the Antideficiency Act\n\nHUD Had Not Made Progress in\nReporting ADA Violations as\nRequired\n\n           Our fiscal year 2011 audit found that HUD had not improved its process for\n           conducting, completing, reporting, and closing the investigation of potential 31\n           U.S.C. 1351.1517(b) ADA violations. Our review found that none of the six\n           cases identified as a potential deficiency in fiscal year 2009 were reported to the\n           President through OMB, Congress, or GAO as required or determined not to be a\n           violation. Of the six cases in which OCFO was notified of a potential violation,\n           two of the six case files were opened in fiscal year 2003, two cases were opened\n           in fiscal year 2004, one case file was opened in fiscal year 2005, and the\n           remaining case was opened in fiscal year 2008. In all six cases, OCFO had not\n           completed its review to report the violations to the President through OMB,\n           Congress, or GAO as required. Additionally, in four of the six cases, the\n           Appropriations Law Division (ALD) had not completed its review as required.\n           Therefore, we did not find any improvement in HUD\xe2\x80\x99s conducting, completing,\n           reporting, or closing potential ADA violation investigations.\n\n           We have reported in prior-year reports that HUD continued to show no substantial\n           improvement to its process for conducting, completing, reporting, and closing the\n           investigation of potential ADA violations. Since fiscal year 2009, we have\n           reported HUD\xe2\x80\x99s failure to report six cases identified as a potential deficiency to\n\n\n                                            65\n\x0c            the President through OMB, Congress, or GAO as required or make a\n            determination that no violation had occurred.\n\n            OCFO is responsible for conducting investigations and reporting on violations of\n            ADA. HUD\xe2\x80\x99s continued delay in completing ADA investigations and reporting\n            known violations results in ADA violators avoiding timely reprimands or\n            punishments and prevents timely correction of violations. In all six of the cases,\n            OCFO had not completed its review as required to report the violation to the\n            President through OMB, Congress, or GAO as required.\n\n            The lack of adequate oversight of the investigative process impeded the\n            completion of the review process. The review process requires that in ADA cases\n            for which the Funds Control Assurance Division has determined that an ADA\n            violation has occurred, the case must be reviewed by the ALD before the report is\n            reviewed by OCFO. However, in four of the six cases reported since fiscal year\n            2009, ALD had not completed its review. Therefore, no progress had been made\n            by OCFO in the 3 years since OIG first began reporting this finding.\n\n\n\nHUD Did Not Comply With Laws and Regulations Governing Claims of the\nUnited States Government\n\nInadequate Efforts To Collect on\nDelinquent Direct Loans\nContinued\n\n            Regulations at 31 CFR Part 901, Standards for the Administrative Collection of\n            Claims, holds HUD responsible for aggressively collecting all debts arising out of\n            activities performed by the agency. These activities include notifying debtors of a\n            delinquency and performing timely follow-up activities. As reported in the prior\n            year, follow-up activities were not being substantially and promptly performed for\n            Section 202 delinquent loans as required by HUD Handbook 1900.25, REV-3,\n            and 31 CFR Part 901. Our review of the Section 202 delinquent loans determined\n            that inadequate collection efforts continued. A sample of 13 projects with Section\n            202 loans delinquent more than 90 days noted 7 (54 percent) projects which did\n            not show evidence that the owner was notified of the delinquency or that efforts\n            were attempted to cure the delinquency 30 days after the delinquency occurred.\n            While project managers started to follow up with property owners on the\n            delinquent loan at the beginning of fiscal year 2011, follow-up activities were not\n            performed for two delinquent loans before our review. These seven loans had\n            delinquent payments aged between 242 days and 7 years.\n\n            In addition, our review of the Flexible Subsidy loan portfolio determined that\n            follow-up activities were not performed in a timely manner for two of three\n            delinquent loans that were more than 90 days delinquent as of March 31, 2011.\n\n                                            66\n\x0c            One of the two loans was delinquent before January 31, 2003, and the property\n            owner submitted a proposal to address the delinquent payment on January 31,\n            2003, but was not approved until March 2011 due to inadequate follow-up efforts\n            by the project manager. The project manager of the second loan did not follow up\n            on the delinquent payment until the loan was delinquent for 26 months.\n\n            In response to our prior-year finding, the Office of Housing drafted guidance to\n            address required collection procedures for Section 202 delinquent loans; however,\n            the guidance had not been finalized and issued to project managers by the end of\n            fiscal year 2011. In addition, the Office of Housing worked with OCFO to\n            develop accurate delinquency reports to be provided to project managers and they\n            were monitoring each hub\xe2\x80\x99s progress in collecting delinquent loans. The Office\n            of Housing was drafting guidance to address the collection procedures for\n            Flexible Subsidy delinquent loans, which will be similar to the guidance drafted\n            for the Section 202 loans. Inadequate efforts to collect on delinquent balances\n            result in a higher risk of HUD\xe2\x80\x99s assets becoming uncollectable. If insufficient\n            follow-up continues, over time, more direct loans that fall into delinquent status\n            will be at a higher risk of becoming uncollectable.\n\nNonreporting of Delinquent Loan\nInformation to Third Parties\nContinued\n\n            As reported in the prior year, OCFO did not report delinquent direct loans to\n            third-party entities, such as credit bureaus and CAIVRS (Credit Alert Verification\n            Reporting System) as required by 31 U.S.C. 3711. As a result, the delinquent\n            status of debt due to HUD was not reported to other Federal credit agencies.\n            Consequently, other agencies did not have all delinquent information available to\n            perform prescreening procedures as required by 31 U.S.C. 3711 and OMB.\n            HUD\xe2\x80\x99s failure to report its delinquent debtors might have resulted in other\n            agencies\xe2\x80\x99 improperly qualifying ineligble debtors for a Federal loan. This\n            reporting failure would prevent other agencies from effectively protecting the\n            Government\xe2\x80\x99s assets and curtailing the losses in relation to Government benefits\n            provided.\n\n            Ensuring that this information is reported to third parties became even more\n            important after HUD implemented the Emergency Homeowners\xe2\x80\x99 Loan Program\n            in fiscal year 2011, obligating more than $209 million in new direct loans to\n            homeowners. The loans issued under the program will eventually be maintained\n            in the Nortridge Loan System, thereby increasing the significance of having this\n            reporting requirement functional in the immediate future.\n\n            During fiscal year 2011, HUD made significant efforts to configure the NLS to\n            allow for the reporting of delinquent loan information to CAIVRS. OCFO was\n            waiting for the Office of Housing to finalize its formal notice, which describes the\n\n                                             67\n\x0ccriteria for reporting delinquent direct loan debts to credit bureaus and CAIVRS,\nbefore initiating the reporting process. However, OCFO was still working on\ndetermining how to report delinquent loan information to credit bureaus.\n\n\n\n\n                                68\n\x0c                               OTHER MATTERS\n\nHUD Did Not Obligate All of the Funds Appropriated for the\nEmergency Homeowners\xe2\x80\x99 Loan Program\n          The Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203\n          (Dodd-Frank Act), enacted July 21, 2010, provided $1 billion in assistance\n          through the Emergency Homeowners\xe2\x80\x99 Relief Fund. HUD administered these\n          funds under the Emergency Homeowners\xe2\x80\x99 Loan Program (EHLP). Through\n          EHLP, homeowners may receive a maximum of $50,000 in assistance in the form\n          of a declining balance, nonrecourse, zero-interest, subordinate secured loan with a\n          term of up to 7 years. No payment is due from homeowners during the term of\n          the loan provided they remain current in their monthly homeowner contribution\n          payments. If the homeowner meets this requirement, the balance due will decline\n          by a HUD-designated percentage until the loan is fully satisfied.\n\n          Due to delays in establishing EHLP, HUD only obligated $528.2 million of the $1\n          billion appropriated for EHLP. The $528.2 million in obligations included $46.8\n          million for a cooperative agreement with NeighborWorks America to facilitate\n          outreach and application processing, $25.5 million for a fiscal agent agreement\n          with Bank of New York Mellon to review application packages and service the\n          loans issued by HUD, $246.6 million in grants to five States to operate programs\n          deemed substantially similar to the EHLP, and $205.2 million for the credit\n          subsidy portion of the direct loans issued by HUD. The Dodd-Frank Act\n          specified a period, October 1, 2010, to September 30, 2011, when emergency\n          mortgage relief payments could be obligated. As a result of the difficulties HUD\n          encountered establishing the program, $471.8 million in funds not obligated by\n          September 30, 2011, are not available for additional loans.\n\n          The delays HUD experienced in setting up EHLP were due to the uniqueness of\n          the program, outsourced application intake and evaluation, lack of a permanent\n          management structure, and the aggressive timeframe for obligating the funds.\n          While EHLP was originally authorized by the Emergency Homeowners\xe2\x80\x99 Relief\n          Act of 1975, the program was never used, and it was removed from the Code of\n          Federal Regulations in 1995. Additionally, HUD did not have any similar\n          programs in operation or the in-house expertise to manage such a program.\n          Further, HUD did not enter into agreements with NeighborWorks and Bank of\n          New York Mellon until May 2011 and did not begin accepting applications from\n          distressed homeowners until June 20, 2011, 10 and 11 months, respectively, after\n          the passage of the Dodd-Frank Act. NeighborWorks and its network of housing\n          counseling agencies identified and contacted 43,000 applicants having a \xe2\x80\x95good\n          chance\xe2\x80\x96 of meeting the eligibility requirements of EHLP. However, a higher\n          number of applicants were disqualified than HUD had anticipated, which led\n          HUD to reopen the application window. The high disqualification rate, combined\n          with the lengthy application process, led to HUD\xe2\x80\x99s approving and obligating\n\n                                          69\n\x0cfunds for 5,823 loans, as opposed to the approximated 19,000 HUD expected.\nWhile the loans were obligated by September 30, HUD had not completed the\napplication evaluation for more than 5,000 loans. When the loan application\nevaluation is complete, there are likely to be fewer loans than obligated. While\nthe funds for this program were \xe2\x80\x95no year\xe2\x80\x96 money, HUD had no authority to make\nnew loans and had already obligated the funds needed to administer the\noutsourced portions of this program. As result, the unobligated balance of $471.8\nmillion should be returned to the U.S. Treasury, less amounts needed for upward\nadjustments for current loan obligations and expected administrative expenses for\nthe current program.\n\n\n\n\n                                70\n\x0cAppendix A\n\n                       Objectives, Scope, and Methodology\n\nManagement is responsible for\n\n*      Preparing the financial statements in conformity with accounting principles generally\n       accepted in the United States of America;\n*      Establishing, maintaining, and evaluating internal controls and systems to provide\n       reasonable assurance that the broad objectives of FMFIA are met; and\n*      Complying with applicable laws and regulations.\n\nIn auditing HUD\xe2\x80\x99s principal financial statements, we were required by Government Auditing\nStandards to obtain reasonable assurance about whether HUD\xe2\x80\x99s principal financial statements\nwere presented fairly, in accordance with generally accepted accounting principles, in all\nmaterial respects. We believe that our audit provides a reasonable basis for our opinion.\n\nIn planning our audit of HUD\xe2\x80\x99s principal financial statements, we considered internal controls\nover financial reporting by obtaining an understanding of the design of HUD\xe2\x80\x99s internal controls,\ndetermined whether these internal controls had been placed into operation, assessed control risk,\nand performed tests of controls to determine our auditing procedures for the purpose of\nexpressing our opinion on the principal financial statements. We are not providing assurance on\nthe internal control over financial reporting. Consequently, we do not provide an opinion on\ninternal controls. We also tested compliance with selected provisions of applicable laws,\nregulations, and government policies that may materially affect the consolidated principal\nfinancial statements. Providing an opinion on compliance with selected provisions of laws,\nregulations, and government policies was not an objective, and, accordingly, we do not express\nsuch an opinion.\n\nWe considered HUD\xe2\x80\x99s internal control over required supplementary stewardship information\nreported in HUD\xe2\x80\x99s Fiscal Year 2011 Agency Financial Report by obtaining an understanding of\nthe design of HUD\xe2\x80\x99s internal controls, determined whether these internal controls had been\nplaced into operation, assessed control risk, and performed limited testing procedures as required\nby AU Section 558, Required Supplementary Information. The tests performed were not to\nprovide assurance on these internal controls, and, accordingly, we do not provide assurance on\nsuch controls.\n\nWith respect to internal controls related to performance measures to be reported in the\nManagement\xe2\x80\x99s Discussion and Analysis and HUD\xe2\x80\x99s Fiscal Year 2011 Agency Financial Report,\nwe obtained an understanding of the design of significant internal controls relating to the\nexistence and completeness assertions as described in section 230.5 of OMB Circular A-11,\nPreparation, Submission and Execution of the Budget. We performed limited testing procedures\nas required by AU Section 558, Required Supplementary Information, and OMB Bulletin 07-04,\nAudit Requirements for Federal Financial Statements, as amended. Our procedures were not\n\n                                               71\n\x0cdesigned to provide assurance on internal control over reported performance measures, and,\naccordingly, we do not provide an opinion on such controls.\n\nTo fulfill these responsibilities, we\n\n*      Examined, on a test basis, evidence supporting the amounts and disclosures in the\n       consolidated principal financial statements;\n*      Assessed the accounting principles used and the significant estimates made by\n       management;\n*      Evaluated the overall presentation of the consolidated principal financial statements;\n*      Obtained an understanding of internal controls over financial reporting (including\n       safeguarding assets) and compliance with laws and regulations (including execution of\n       transactions in accordance with budget authority);\n*      Tested and evaluated the design and operating effectiveness of relevant internal controls\n       over significant cycles, classes of transactions, and account balances;\n*      Tested HUD\xe2\x80\x99s compliance with certain provisions of laws and regulations;\n       governmentwide policies, noncompliance with which could have a direct and material\n       effect on the determination of financial statement amounts; and certain other laws and\n       regulations specified in OMB Bulletin 07-04, as amended, including the requirements\n       referred to in FMFIA;\n*      Considered compliance with the process required by FMFIA for evaluating and reporting\n       on internal control and accounting systems; and\n*      Performed other procedures we considered necessary in the circumstances.\n\nWe did not evaluate the internal controls relevant to operating objectives as broadly defined by\nFMFIA. We limited our internal control testing to those controls that are material in relation to\nHUD\xe2\x80\x99s financial statements. Because of inherent limitations in any internal control structure,\nmisstatements may, nevertheless, occur and not be detected. We also caution that projection of\nany evaluation of the structure to future periods is subject to the risk that controls may become\ninadequate because of changes in conditions or that the effectiveness of the design and operation\nof policies and procedures may deteriorate.\n\nOur consideration of the internal controls over financial reporting would not necessarily disclose\nall matters in the internal controls over financial reporting that might be significant deficiencies.\nWe noted certain matters in the internal control structure and its operation that we consider\nsignificant deficiencies under OMB Bulletin 07-04, as amended.\n\nUnder standards issued by the American Institute of Certified Public Accountants, a significant\ndeficiency is a deficiency or a combination of deficiencies in internal control that is less severe\nthan a material weakness yet important enough to merit attention by those charged with\ngovernance.\n\nA material weakness is a deficiency or combination of deficiencies in internal controls, such that\nthere is a reasonable possibility that a material misstatement of the financial statements will not\nbe prevented or detected and corrected on a timely basis.\n\n\n\n                                                 72\n\x0cOur work was performed in accordance with generally accepted government auditing standards\nand OMB Bulletin 07-04, as amended.\n\nThis report is intended solely for the use of HUD management, OMB, and Congress. However,\nthis report is a matter of public record, and its distribution is not limited.\n\n\n\n\n                                            73\n\x0cAppendix B\n\n                                  Recommendations\n\nTo facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking\nSystem (ARCATS), this appendix lists the newly developed recommendations resulting from our\nreport on HUD\xe2\x80\x99s fiscal year 2011 financial statements. Also listed are recommendations from\nprior years\xe2\x80\x99 reports that have not been fully implemented. This appendix does not include\nrecommendations pertaining to FHA and Ginnie Mae issues because they are tracked under\nseparate financial statement audit reports of that entity.\n\n                    Recommendations From the Current Report\nWith respect to the significant deficiency that HUD\xe2\x80\x99s financial management systems need to\ncomply with Federal financial management system requirements, we recommend that the CFO:\n\n     1.a. In coordination with the OIG, CFO Systems, CFO Accounting, CFO Financial\n          Management, CPD Management, and CPD Systems, review the methodology used by\n          CPD for assigning and disbursing budget fiscal year funding sources to activities\n          within IDIS.\n\n     1.b. Based upon the understanding obtained of the methodology used by CPD, develop\n          and execute procedures to determine whether the methodology used by CPD for\n          assigning and disbursing budget fiscal year funding sources to activities within IDIS\n          is in accordance with federal financial accounting standards and whether the\n          budgetary and internal controls over financial reporting are adequately designed\n          provide reasonable assurance that misstatements, losses, or noncompliance material\n          in relation to the financial statements would be prevented or detected on a timely\n          basis.\n\n     1.c. In coordination with CPD, develop modifications, to IDIS and DRGR to correct the\n          unacceptable errors or discontinue the use of these systems for any financial and\n          budgetary information.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the CFO, in coordination with the appropriate program\noffices:\n\n     2.a. Recapture the $1.7 million for the 93 administrative and program unliquidated\n          obligations that were marked for deobligation during the fiscal year 2011 open\n          obligations review.\n\n\n\n\n                                              74\n\x0cWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that CPD:\n\n     2.b. Review the status of each of its homeless assistance contracts that make up the $32\n          million OIG identified as excess funding and recapture excess funds for expired\n          contracts, which have not been granted extension.\n\n     2.c. Fully implement the internal control procedures and control activities that were\n          drafted as a result of the fiscal year 2010 audit finding, that include specific policies,\n          procedures and mechanisms, including appropriate documentation of extensions\n          granted and follow-up efforts with the grantees to obtain the close-out documents, to\n          ensure that grants are closed out within the 90-day period after the contract expiration\n          or after the extension period, so that remaining balances are recaptured on a periodic\n          basis.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Office of Housing, in coordination with the CFO:\n\n     2.d. Recapture the $3.8 million tied to the 78 inactive or expired obligations for the\n          Section 202 and 811 programs.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Office of the Chief Procurement Officer, in\ncoordination with the Office of Housing:\n\n     2.e. Review and if necessary close-out the 76 obligations with remaining balances totaling\n          $991 thousand that were forwarded by the Office of Housing Assistance and Grants\n          Administration.\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the CFO, in coordination with PIH:\n\n     2.f. For the Office of Public Housing Investment grants,\n             i) Close out the 34 predevelopment grants and recapture $24 million in unpaid\n                  obligations in LOCCS; and\n             ii) Perform a review of the 170 grants coded PDEV, LBAC, and COMP and any\n                  other grants not subject to or obligated before the Quality Housing Work and\n                  Responsibility Act of 1998 to ensure that the grants were obligated properly\n                  and not transferred to LOCCS, correct any inaccuracies, and ensure that the\n                  accounting records are complete.\n\n     2.g. For the Office of the Chief Financial Officer (in regards to Office of Public Housing\n          Investment grants),\n             i) Perform a $2 million downward and withdrawal adjustment for the\n                  unliquidated obligations that are unsupported in the Non PAS Program ledger\n                  or provide evidence of the grants for the unpaid obligations; and\n\n                                                75\n\x0c               ii) Perform a $2.3 million downward and withdrawal adjustment for the\n                   duplicated grants.\n\n     2.h. For the Office of Public Housing Investment grants,\n             i) Improve the PIH and CFO internal control environment to ensure that all\n                  grants in appropriation 0304 have a program office responsible for their\n                  administration and oversight and periodically conduct reviews of all\n                  predevelopment grants;\n             ii) For those low-rent grants without supporting documentation, obtain a\n                  statement from the field office directors certifying that no documentation is\n                  available to support the obligations as evidence to process the grants\xe2\x80\x99 closeout\n                  and recapture; and\n             iii) Improve the open obligation review process by including all PIH programs in\n                  the open obligation review and include quality control testing in the obligation\n                  reviews performed by the program offices.\n\n     2.i. For the Section 8 Housing Choice Voucher tenant-based program,\n             i) Develop formal written procedures to review the program obligations;\n             ii) Deobligate $18.3 million in expired contracts; and\n             iii) Include the Section 8 tenant-based program obligations in the departmental\n                  open obligation review process.\n\nWith respect to the significant deficiency that CPD needs to improve its oversight of grantees,\nwe recommend that CPD:\n\n     3.a. Consult with OCFO to determine whether the implementation of "true-FIFO"\n          complies with the Federal financial accounting standards and adequate budgetary and\n          internal control requirements over financial reporting.\n\n     3.b. Implement a policy to require grantees to include the reason for reopening activities\n          cancelled on the HUD-initiated activity cancellation reports.\n\n     3.c. Implement a policy to require CPD field offices to review the HUD-initiated activity\n          cancellation reports for activities that have been cancelled and reopened to follow up\n          and verify the validity of the activity.\n\n     3.d. Ensure that field offices have developed and implemented control activities, which\n          are documented and can be periodically tested and monitored by the Office of Field\n          Management, to ensure that the field offices have a system to ensure compliance with\n          the requirements within the biennial risk analysis process Notices for Implementing\n          Risk Analyses (CPD Notice 09-04) for Monitoring Community Planning and\n          Development Grant Programs and the CPD Monitoring Handbook.\n\n     3.e. Review information within the GMP system for consistency and completeness and\n          follow up with field offices when information is incomplete or inconsistent among the\n          risk analysis, work plans, and completed monitoring efforts.\n\n\n                                                76\n\x0c     3.f. Ensure that all required information has been updated and entered into GMP after the\n          due dates for submissions have passed and follow up with field offices that have not\n          entered their information.\n\n     3.g. Follow up on information in GMP to ensure that findings which had questioned costs\n          have been repaid and noncompliance and internal control deficiencies have been\n          addressed.\n\n     3.h. Develop, document, and implement internal control procedures for OAHP\xe2\x80\x99s review to\n          ensure that grantees comply with the terms of the grant agreement, which require the\n          grantees to perform monitoring procedures.\n\n     3.i. Develop, document, and implement internal control procedures for the review and\n          resolution of audit findings identified in the A-133 single audit reports as reported in\n          the FAC, including measures to ensure that all grantees have reported to the FAC.\n\n     3.j.    Maintain documentation readily available to support OAHP\xe2\x80\x99s compliance with the\n            requirements of OMB Memorandum M-10-14.\n\nWith respect to the significant deficiency that HUD needs to improve its administrative control\nof funds, we recommend that OCFO:\n\n     4.a    Establish and implement procedures to ensure that all program codes that disburse\n            HUD\xe2\x80\x99s funds have complete and approved funds control plans before the funds can\n            be disbursed.\n\n     4.b Establish and implement procedures to ensure that the funds control plans are updated\n         to include the new program codes and new appropriation requirements.\n\n     4.c    Develop and implement a 3-year cycle of funds control compliance reviews for all\n            approved funds control plans by completing the assessments of 1/3 of approved funds\n            control plans each fiscal year.\n\nWith respect to the significant deficiency that HUD needs to continue improving its oversight\nand monitoring of subsidy calculations, intermediaries\xe2\x80\x99 performance, and use of Housing Choice\nVoucher and operating subsidy program funds, we recommend that PIH:\n\n     5.a. Conduct remote monitoring and onsite monitoring as necessary to ensure that PHAs\n          have a review process in place to prevent consistency and transcription errors and to\n          ensure that income and allowance amounts used in the rent calculation are correct.\n\n     5.b. The Office of Housing report on income discrepancies at the 100 percent threshold\n          level as a supplemental measure; assign staff to review the deceased single-member\n          household and income discrepancy reports at least quarterly and follow up with\n          owners and management agents (O-A) listed on these reports; and include in the\n          contract between HUD and O-As a provision for improper payments that requires O-\n\n\n                                                77\n\x0c           and resolve in a timely manner income discrepancies, failed identity verifications, and\n           cases of deceased single-member households.\n\n     5.c. Request Congress provide an NRA offset amount for program reserves in excess of 6\n          percent of the PHAs\xe2\x80\x99 annual Budgetary Authority up to the estimated $820 million\n          and provide HUD with legislative authority to annually perform offsets of NRA\n          balances in excess of 6 percent of the PHAs\xe2\x80\x99 Budgetary Authority.\n\n     5.d. For the Operating Subsidy, PIH request congressional approval to perform a $1\n          billion offset or offset the held reserve exceeding 6 months of operating reserves.\n\n     5.e. For the Operating Subsidy, PIH should evaluate and document the nature of the\n          remaining $890 million of PHA operating subsidies reserve and request congressional\n          approval for an offset if it is determined these funds are excess.\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with ADA, we recommend that the CFO, in\ncoordination with the appropriate program offices:\n\n     6.a   Amend the current ADA case processing timelines policy to establish a timeframe for\n           completion of review of the preliminary assessment report by the CFO and Deputy\n           CFO.\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with the laws and regulations governing\nclaims of the U.S. Government, we recommend that the Office of Housing:\n\n     7.a. Draft and issue guidance regarding collection procedures for delinquent Flexible\n          Subsidy loans and ensure the policy is communicated to each applicable project\n          manager and implemented after issuance.\n\nWith respect to \xe2\x80\x95Other Matters\xe2\x80\x96 that HUD did not obligate all of the funds appropriated for the\nEmergency Homeowners\xe2\x80\x99 Loan Program, we recommend that the CFO:\n\n     8.a Determine the amount of funds needed to cover future administrative costs and\n         possible upward adjustments of obligations to current EHLP beneficiaries.\n\n     8.b   Seek the authority from Congress to return to the U.S. Treasury up to $471.8 million\n           in funds not needed for potential upward adjustments to current loan obligations and\n           future administrative costs for the existing program.\n\n\n\n\n                                               78\n\x0c         Unimplemented Recommendations From Prior Years\xe2\x80\x99 Reports\n\nNot included in the recommendations listed above are recommendations from prior years\xe2\x80\x99\nreports on HUD\xe2\x80\x99s financial statements that have not been fully implemented based on the status\nreported in ARCATS. HUD should continue to track these under the prior years\xe2\x80\x99 report numbers\nin accordance with departmental procedures. Each of these open recommendations and its status\nis shown below. Where appropriate, we have updated the prior recommendations to reflect\nchanges in emphasis resulting from recent work or management decisions.\n\n\nOIG Report Number 2011-FO-0003 (Fiscal Year 2010 Financial Statements)\n\nWith respect to the significant deficiency that HUD\xe2\x80\x99s Financial Management Systems Need to\nComply with Federal Financial Management System Requirements, we recommend CPD:\n\n     1.a. Cease the changes being made to IDIS for the HOME program related to the FIFO\n          rules until the cumulative effect of using FIFO can be quantified on the financial\n          statements. (Final action target date is June 21, 2012; reported in ARCATS as\n          recommendation 1A.)\n\n     1.b. Change IDIS so that the budget fiscal year source is identified and attached to each\n          activity from the point of obligation to disbursement. (Final action target date is June\n          21, 2012; reported in ARCATS as recommendation 1B.)\n\n     1.c. Cease the use of FIFO to allocate funds (fund activities) within IDIS and disburse\n          grant payments. Match outlays for activity disbursements to the obligation and\n          budget fiscal source year in which the obligation was incurred and in addition, match\n          the allocation of funds (activity funding) to the budget fiscal year source of the\n          obligation. (Final action target date is June 21, 2012; reported in ARCATS as\n          recommendation 1C.)\n\n     1.d. Include as part of the annual CAPER [consolidated annual performance and\n          evaluation report] a reconciliation of HUD\xe2\x80\x99s grant management system, IDIS, to\n          grantee financial accounting records on an individual annual grant basis, not\n          cumulatively, for each annual grant awarded to the grantee. (Final action target date\n          is June 21, 2012; reported in ARCATS as recommendation 1D.)\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the CFO, in coordination with the appropriate program\noffices:\n\n\n\n\n                                               79\n\x0c      2.a. Deobligate the $3.2 million in administrative and program unliquidated obligations\n           that were marked for deobligation. (Final action target date is October 31, 2011;\n           reported in ARCATS as recommendation 2A. 55)\n\n      2.b. Promptly perform contract closeout reviews and recapture of invalid obligations.\n           (Final action target date is October 31, 2011; reported in ARCATS as\n           recommendation 2B. 55)\n\n      2.c. Review the 510 obligations which were not distributed to the program offices during\n           the open obligations review and deobligate amounts tied to closed or inactive\n           projects, including the $27.5 million we identified during our review as expired or\n           inactive. (Final action target date is October 31, 2011; reported in ARCATS as\n           recommendation 2C. 55)\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that CPD:\n\n       2.d. Investigate, through reviewing each individual obligating document and contacting\n            the grantee, the $1.62 billion in obligations, which were originally obligated in 2005\n            and prior, to obtain the intended use for open obligation amount (commitments, etc.).\n            For those which do not have a specific intended use, CPD should recapture the open\n            obligation amount. Where applicable for non-fixed-year funds, CPD should include\n            the deobligated amounts in next year\xe2\x80\x99s formula allocation. (Final action target date\n            is October 14, 2011; reported in ARCATS as recommendation 2E. 55)\n\n       2.e. For grantees which do not comply with program regulations, deobligate the funds\n            related to the noncompliance from the older applicable grant award and not the\n            current available for obligation awards. (Final action target date is June 21, 2012;\n            reported in ARCATS as recommendation 2F.)\n\n        2.f. In coordination with the CFO, develop and publish written guidance and policies to\n             establish a benchmark for field directors to use to determine the validity of the open\n             obligation. The guidance should include specific procedures for open obligation\n             amounts, wherein the obligation was made before a specified amount of time, as\n             well as disbursement inactivity beyond a specified amount of time. (Final action\n             target date is October 31, 2011; reported in ARCATS as recommendation 2G. 55)\n\n       2.g. In coordination with the CFO, develop procedures to periodically evaluate HUD\xe2\x80\x99s\n            program financial activities and operations to ensure that current accounting policies\n            are sufficient and appropriate and to ensure that they are implemented and operated\n            by program and accounting staff as intended. (Final action target date is October 31,\n            2011; reported in ARCATS as recommendation 2H. 55)\n\n\n55\n  As of the date of this report, this unimplemented recommendation had a corrective action plan that is overdue for\ncompletion. OIG has performed audit follow-up activities to determine the status of the corrective action plan and is\nworking with the Department to ensure it is completed and the recommendation is addressed.\n\n                                                         80\n\x0cWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Office of Housing, in coordination with the CFO,\n\n      2.h. Implement a long-term financial management strategy and improvement plan to\n           address data and system weaknesses to ensure that information for the Office of\n           Housing\xe2\x80\x99s obligations is kept up to date and accurate. (Final action target date is\n           May 8, 2012; reported in ARCATS as recommendation 2K.)\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the CFO, in coordination with PIH:\n\n      2.i. Coordinate a review and close out each of the 434 PIH low-rent grants in PAS\n           subsidiary and determine the status of any other grants included in the OIG audit\n           report SF-1997-107-0001 that remain open. (Final action target date is June 30,\n           2012; reported in ARCATS as recommendation 2L.)\n\n      2.j. After reviewing and closing out these 434 PIH low-rent grants, determine whether\n           there are any overpayments that need to be recovered from any housing authority\n           grants that were overpaid. (Final action target date is June 30, 2012; reported in\n           ARCATS as recommendation 2M.)\n\n      2.k. Recapture the full amount of obligations from these 434 PIH low-rent grants totaling\n           $174 million and return to the U.S. Treasury the total balance of budgetary resources\n           from invalid grants. (Final action target date is June 30, 2012; reported in ARCATS\n           as recommendation 2N.)\n\n      2.l. Update its funds control plans, adding procedures to ensure that any unexpended\n           obligation portfolios are excluded from the open obligation review and for\n           accurately documenting the entire accounting process and responsibilities. (Final\n           action target date is December 30, 2011; reported in ARCATS as recommendation\n           2O.)\n\n\n      2.m. Develop procedures to periodically evaluate HUD\xe2\x80\x99s program financial activities and\n           operations to ensure that current accounting policies are sufficient and appropriate\n           and to ensure that they are properly carried out by the program and accounting staff.\n           (Final action target date is December 30, 2011; reported in ARCATS as\n           recommendation 2Q.)\n\nWith respect to the significant deficiency that CPD needs to improve its oversight of grantees,\nwe recommend that CPD:\n\n     3.a. Review the status of each of its homeless assistance contracts that make up the $97.8\n          million OIG identified as excess funding and recapture excess funds for expired\n\n                                               81\n\x0c           contracts, which have not been granted extensions. (Final action target date is\n           February 2, 2012; reported in ARCATS as recommendation 4A.)\n\n     3.b. Implement the guidance as instructed in the new HOME FACTS regarding activities\n          that are over 12 months old with no funds disbursed; these activities will be\n          automatically cancelled by HUD and the funds uncommitted. (Final action target\n          date is May 31, 2011; reported in ARCATS as recommendation 4D. 55)\n\n     3.c. Establish internal control procedures or internal regulations that require field offices\n          to perform follow-up measures for participating jurisdictions (PJ) with slow-moving\n          projects on an annual basis, including contacting the PJs and requiring the PJs to\n          respond with an action plan for disbursing the unused funds on slow-moving projects.\n          (Final action target date is February 29, 2012; reported in ARCATS as\n          recommendation 4E.)\n\n     3.d. Investigate the progress of the 350 stalled activities with funding dates 2005 and prior\n          wherein the percentage of amounts drawn on the activity was 50 percent or less with\n          a remaining undrawn amount $27.5 million and recapture those amounts in which the\n          activity can be cancelled. (Final action target date is October 14, 2011; reported in\n          ARCATS as recommendation 4F. 55)\n\nWith respect to the significant deficiency that HUD needs to improve its administrative control\nof funds, we recommend that OCFO:\n\n     4.a   Enhance the low-rent funds control plans to verify that the legislation changes are\n           incorporated; ensure that the accounting treatment and policies employed are\n           appropriate; and include the OCFO accounting and reporting staff in the review of the\n           classification, disclosure, and presentation of programmatic accounting information.\n           (Final action target date is December 30, 2011; reported in ARCATS as\n           recommendation 5A.)\n\n     4.b Establish and implement procedures to ensure accuracy and completeness of ARRA\n         funds control plans. (Final action target date is December 30, 2011; reported in\n         ARCATS as recommendation 5B.)\n\n     4.c   Conduct periodic reviews of the program offices\xe2\x80\x99 compliance with requirements of\n           the funds control plans. (Final action target date is December 30, 2011; reported in\n           ARCATS as recommendation 5D.)\n\nWith respect to the significant deficiency that HUD needs to improve its administrative control\nof funds, we recommend that OCFO, in coordination with the appropriate program offices:\n\n     4.d Develop and implement funds control plans for any program found to be without an\n         up-to-date funds control plan. (Final action target date is December 30, 2011;\n         reported in ARCATS as recommendation 5J.)\n\n\n\n                                               82\n\x0cWith respect to HUD\xe2\x80\x99s substantial noncompliance with ADA, we recommend that the CFO, in\ncoordination with the appropriate program offices:\n\n     5.a   Complete required steps on the six known potential ADA issues and report those\n           determined to be violations immediately to the President, Congress, and GAO as\n           required by 31 U.S.C., and OMB Circular A-11. (Final action target date is\n           December 30, 2011; reported in ARCATS as recommendation 6A.)\n\n     5.b Investigate the potential ADA violation and other interagency agreements that were\n         similarly executed. If the investigation determines that an ADA violation occurred,\n         immediately report it to the President, Congress, and GAO as required by 31 U.S.C.,\n         and OMB Circular A-11. (Final action target date is December 30, 2011; reported in\n         ARCATS as recommendation 6B.)\n\n     5.c   Develop or. where appropriate. modify and implement measures to prevent future\n           potential ADA violations resulting from contracts funded over multiple fiscal years.\n           (Final action target date is December 30, 2011; reported in ARCATS as\n           recommendation 6C.)\n\nWith respect to HUD\xe2\x80\x99s noncompliance with the laws and regulations governing claims of the\nU.S. Government, we recommend that the Office of Housing:\n\n     6.a   Finalize and issue the draft notice regarding collection procedures for delinquent\n           Section 202 loans. (Final action target date is September 25, 2011; reported in\n           ARCATS as recommendation 7A. 55)\n\n     6.b After issuance of the notice, ensure that the policy is effectively communicated to\n         each applicable project manager and hub director nationwide. (Final action target\n         date is September 25, 2011; reported in ARCATS as recommendation 7B.55)\n\n     6.c   Ensure adherence to the notice by establishing internal controls to record activities to\n           collect on delinquent loans. (Final action target date is October 14, 2011; reported in\n           ARCATS as recommendation 7C. 55)\n\nWith respect to HUD\xe2\x80\x99s noncompliance with the laws and regulations governing claims of the\nU.S. Government, we recommend that the CFO:\n\n     6.d Activate the delinquent debt reporting functionality to enable NLS to report HUD\xe2\x80\x99s\n         delinquent debt to credit bureaus and CAIVRS. (Final action target date is March 15,\n         2012; reported in ARCATS as recommendation 7D.)\n\n     6.e   Establish criteria to determine what delinquent debt should be subject to reporting.\n           (Final action target date is March 15, 2012; reported in ARCATS as recommendation\n           7E.)\n\n     6.f   Based on the criteria established, identify delinquent debts and report those to credit\n\n                                                83\n\x0c           bureaus and CAIVRS as required. (Final section target date is March 15, 2012;\n           reported in ARCATS as recommendation 7F.)\n\nOIG Report Number 2010-FO-0003 (Fiscal Year 2009 Financial Statements)\n\nWith respect to the significant deficiency that the CPD needs to improve its oversight of\ngrantees, we recommend that CPD:\n\n     7.a   Determine whether the $24.7 million in unexpended funds for the HOME program\n           from fiscal years 2001 and earlier that are not spent in a timely manner should be\n           recaptured and reallocated in next year\xe2\x80\x99s formula allocation. (Final action target date\n           is April 1, 2011; reported in ARCATS as recommendation 1E. 55)\n\n     7.b Develop a policy for the HOME program that would track expenditure deadlines for\n         funds reserved and committed to community housing development organizations and\n         subgrantees separately. (Final action target date is September 30, 2011; reported in\n         ARCATS as recommendation 1F. 55)\n\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the CFO, in coordination with the appropriate program\noffices:\n\n     8.a   Deobligate the $8.8 million in administrative and program unliquidated obligations\n           that were marked for deobligation. (Final action target date is March 11, 2011;\n           reported in ARCATS as recommendation 3A. 55)\n\n     8.b Promptly perform contract closeout reviews and recapture of invalid obligations.\n         (Final action target date is March 11, 2011; reported in ARCATS as recommendation\n         3B. 55)\n\nWith respect to HUD\xe2\x80\x99s substantial noncompliance with ADA, we recommend that the CFO, in\ncoordination with the appropriate program offices:\n\n     9.a   Complete the investigations and determine whether ADA violations have occurred\n           and if an ADA violation has occurred, immediately report to the President, Congress,\n           and GAO. (Final action target date is March 11, 2011; reported in ARCATS as\n           recommendation 5A. 55)\n\n     9.b Report the six ADA violations immediately to the President, Congress, and GAO as\n         required by 31 U.S.C. and OMB Circular A-11, upon receiving OCFO legal staff\n         concurrence with the investigation results. (Final action target date is March 16,\n         2011; reported in ARCATS as recommendation 5B. 55)\n\n\n\n\n                                               84\n\x0cAppendix C\n\nFederal Financial Management Improvement Act Noncompliance,\nResponsible Program Offices, and Recommended Remedial Actions\n\n\nThis appendix provides details required under FFMIA reporting requirements. To meet those\nrequirements, we performed tests of compliance using the implementation guidance for FFMIA\nissued by OMB and GAO\xe2\x80\x99s Financial Audit Manual. The results of our tests disclosed that\nHUD\xe2\x80\x99s systems did not substantially comply with requirements. The details for our basis of\nreporting substantial noncompliance, responsible parties, primary causes, and HUD\xe2\x80\x99s intended\nremedial actions are included in the following sections.\n\nFederal Financial Management Systems Requirements\n1. HUD\xe2\x80\x99s annual assurance statement, issued pursuant to Section 4 of the Financial Manager\xe2\x80\x99s\nIntegrity Act, will report three nonconforming systems.56\n\n         The organizations responsible for systems that were found not to comply with the\n         requirements of OMB Circular A-127 based on HUD\xe2\x80\x99s assessments are as follows:\n\n     Responsible office                                Number of systems     Nonconforming systems\n     Office of Housing                                        18                        0\n     Office of the Chief Financial Officer                    14                        0\n     Office of Chief Human Capital Officer                     1                        1\n     Office of the Chief Procurement Officer                   0                        2\n     Office of Community Planning and Development              3                        0\n     Office of Public and Indian Housing                       1                        0\n     Government National Mortgage Association                  1                        0\n     Totals                                                   38                        3\n\n\n\nIn fiscal year 2010 OIG reported that C04 \xe2\x80\x93 Integrated Disbursement & Information System\n(IDIS) was noncompliant with the requirements of OMB Circular A-12757. Additionally, OIG\nhas determined that CPD\xe2\x80\x99s financial management systems did not meet the computer system\nrequirements of OMB A-12758.\n\n\n\n56\n   The three nonconforming systems are (1) A35-HUD Procurement System, (2) P035-Small Purchase System, and\n(3) D67A-Facilities Integrated Resources Management System,\n57\n   2011-FO-0003, Additional Details to Supplement Our Report on HUD\xe2\x80\x99s fiscal years 2010 and 2009 Financial\nStatements, Significant Deficiency 1: HUD Financial Management Systems Do Not Comply with the Federal\nFinancial Management Improvement Act (FFMIA) of 1996.\n58\n   Significant Deficiency1: HUD Financial Management Systems Do Not Fully Comply With Federal Financial\nManagement System Requirements \xe2\x80\x93 \xe2\x80\x95CPD\xe2\x80\x99s Grants Management Systems are Not Compliant with Federal\nFinancial System Requirements\xe2\x80\x96.\n\n                                                    85\n\x0cThe following section outlines HUD\xe2\x80\x99s plan to correct noncompliance with OMB Circular A-127\nas submitted to us as of September 30, 2011, and unedited by us.\n\n\n\n\n                                            86\n\x0c                     OFFICE OF THE CHIEF PROCURMENT OFFICER\n                           REMEDIATION PLAN AS of 08/05/2011\n\n\n                              A35 HUD Procurement Systems (HPS)\n                                P035 Small Purchase System (SPS)\n     Noncompliance Issue(s)                         Tasks/Steps                              Target       Actual\n                                              (including Milestones)                       Completion   Completion\n                                                                                             Dates        Dates\nINTERNAL CONTROLS\n                              Intermediate Resolution Plan\n\n1. HUD\xe2\x80\x99s Procurement          1A   Review transactions of the four contracting officers\n   Systems Do Not Have             who input records in excess of their contract\n   Adequate Controls for           authority and take actions as appropriate.\n   Monitoring the                    OCPO researched the transactions in question to       12/23/2006   12/14/2006\n   Procurement Process               determine if the obligations were appropriate or\n                                     not.\n                                     OCPO determined that the transactions were            3/31/2007    12/14/2006\n                                     properly executed by contracting officers acting\n                                     within their authority. No further action is\n                                     necessary.\n                              1B   Implement system controls to ensure that\n                                   contracting officers are not able to exceed their\n                                   procurement authority.\n                                     The OCPO will implement procurement authority         3/31/2007    4/25/07\n                                     control procedures.\n                                     The OCPO will include validation of contracting       1/08/2007    1/08/2007\n                                     officer authority as part of each Procurement                      On-Going\n                                     Management Review.\n\n                              1C   Implement controls to ensure that contracting\n                                   officers are required to either input or approve all\n                                   transactions that record funds through the\n                                   HUDCAPS interfaces.                                     4/30/2007    4/25/2007\n                                      The OCPO will implement procedural controls to\n                                      require contracting officers to validate\n                                      transactions in HPS.\n\n                              1D   Modify the systems to make the contracting officer\n                                   field mandatory.                                        4/30/2007    6/20/2008\n                                      The OCPO will implement procedures for               Revised\xe2\x80\x94\n                                      electronic records, which are recorded in HPS, are   11/30/2008\n                                      reviewed to ensure that a Contracting Officer is\n                                      identified for each record.\n                                      The OCPO will implement validation of the            1/8/2007     1/08/2007\n                                      contracting officer identification as part of each                On-Going\n                                      Procurement Management Review.\n                                      (See 1B bullet 2 above. Validation of contracting\n                                      authority is the same as implementation of task)\n\n2.    HUD Procurement         2A      Ensure that system administration and security\n\n\n                                                        87\n\x0c  Noncompliance Issue(s)                                Tasks/Steps                               Target       Actual\n                                                  (including Milestones)                        Completion   Completion\n                                                                                                  Dates        Dates\nSystems\xe2\x80\x99 Separation of Duties             administration functions are separate\nControls Were Bypassed                       The OCPO will formally appoint separate            4/16/2007    05/01/2007\n                                             individuals to act as security administrator\n                                             and system administrator for each OCPO\n                                             system and that the individuals will not be\n                                             performing conflicting duties.\n\n                                2B       Ensure that staff are not assigned conflicting\n                                         duties, that separate functions are performed by\n                                         separate individuals, and that the concept of least\n                                         privilege is applied.\n                                              OCPO will determine if multiple system\n                                              profiles are actually a valid requirement on\n                                              an individual basis in HPS. The goal is to\n                                              eliminate all unnecessary and redundant\n                                              profiles in HPS and that the individuals will\n                                              not be performing conflicting duties.\n                                              o The OCPO will Identify users with               2/15/2007    12/21/2006\n                                                   multiple HPS profiles\n                                              o The OCPO will deactivate                        07/31/2007   07/19/2007\n                                                   unnecessary/redundant profiles\n                                NOTE: While we can separate the duties procedurally, the\n                                separation cannot be enforced in HPS or SPS without\n                                reprogramming.\n\n                                2C        Implement formal policies and procedures to\n                                          recertify the access granted to users at least\n                                          annually.\n                                             The OCPO will develop and implement\n                                             formal procedures for granting access by\n                                             using the concept of least privilege to OCPO\n                                             systems, as well as annual user access\n                                             reviews by:\n                                             o Revise system access request forms               1/31/2007    12/31/2006\n                                             o Revise process in which user requests            2/28/2007    1/31/2007\n                                                   system access\n                                             o Revise procedure in which system                 3/31/2007    1/31/2007\n                                                   access is granted\n                                             o Develop formal procedure to enforce              06/30/2007   07/18/2007\n                                                   annual user access review\n\n                                2D        Create and implement routing functionality\n                                          within the Small Purchase System to allow users\n                                          to be granted access to more than one office or\n                                          region.\n                                              OCPO recommends implementing the\n                                              following tasks to alleviate the routing issue.\n                                              OCPO will determine if multiple SPS system\n                                              profiles are actually a valid requirement on\n                                              an individual basis. The goal is to eliminate\n                                              all unnecessary and redundant profiles in\n                                              SPS.\n\n\n                                                            88\n\x0c  Noncompliance Issue(s)                                Tasks/Steps                                  Target        Actual\n                                                  (including Milestones)                           Completion   Completion\n                                                                                                      Dates        Dates\n                                              o     The OCPO will identify users with             2/15/2007     12/21/2006\n                                                    multiple SPS profiles\n                                               o The OCPO will restructure the issuing            11/30/2007    12/14/2007\n                                                    office hierarchy to alleviate the necessity\n                                                    of multiple profiles for a given user.\n3. HUD\xe2\x80\x99s Procurement              3A   Perform a cost benefit analysis to determine whether\n   Systems Do Not Contain              it is more advantageous to modify or replace the\n   Sufficient Financial Data to        procurement systems to ensure compliance with\n   Allow It to Effectively             Joint Federal Management Improvement Program\n   Manage and Monitor                  Requirements.\n   Procurement Transactions               The OCPO will perform a cost benefit analysis to        05/31/2008    2/12/2008\n                                          replace the OCPO systems.\n                                  3B   Implement functionality to ensure that there is\n                                       sufficient information within HUD\xe2\x80\x99s procurement\n                                       systems to support the primary acquisition functions\n                                       of fund certification, obligation, deobligation,\n                                       payment, and closeout.\n                                              Based on the availability of funds, OCPO\n                                              will replace its systems with COTS software\n                                              to ensure identified issues with security\n                                              controls are addressed.\n                                              Milestones \xe2\x80\x93 Not later than\n                                                   Develop Independent Government\n                                                   Estimate                                       5/4/2007      05/03/2007\n                                                   Conduct Market Research\n                                                   Source Selection                               04/6/2007     04/06/2007\n                                                                                                  7/31/2010     09/30/2010\n                                                   Roll-out pilot of production system\n                                                                                                  10/15/2011    TBD\nSECURITY CONTROLS\n4. The Office of the Chief        4A   Obtain the training and or resources necessary to\n   Procurement Officer Did             develop or perform compliant (1) information\n   Not Design or Implement             system categorization analyses; (2) risk\n   Required Information                assessments; (3) security plans; (4) contingency\n   Security Controls                   plans and tests; (5) monitoring processes, which\n                                       include applicable Federal Information Processing\n                                       Standards Publication 200 managerial, operational,\n                                       and technical information security controls; and (6)\n                                       evaluations of the managerial, operational, and\n                                       technical security controls.\n                                           OCPO will ensure that training or other\n                                           resources are obtained to develop or perform\n                                           required managerial, operational, and technical\n                                           security controls.\n                                              Update Risk Assessments                             12/31/2008    08/31/2007\n                                              Update Security Plans                               12/31/2008    08/31/2007\n                                                                                                  12/31/2008    12/13/2007\n                                              Update Annual Contingency Plans and Tests\n                                                                                                                On Going\n                                              Monitoring processes, which includes                09/01/2008    08/29/2008\n                                              applicable Federal Information Processing                         On Going\n                                              Standards (FIPS) Publication 200 managerial,\n                                              operational, and technical information\n\n                                                             89\n\x0cNoncompliance Issue(s)                         Tasks/Steps                             Target         Actual\n                                         (including Milestones)                      Completion     Completion\n                                                                                       Dates          Dates\n                                    security controls; and\n\n                                    The OCPO continues to work the OCIO to\n                                    monitor the above mentioned areas on an\n                                    annual basis through updates to the\n                                    Contingency plans, Security Plans, and BIA.\n\n\n                                    Evaluations of the managerial, operational,      09/01/2008     08/29/2008\n                                    and technical security controls.                                On Going\n                                    The OCPO continues to work the OCIO to\n                                    evaluate the above mentioned areas on an\n                                    annual basis.\n\n                         4B   Complete the corrective actions for the known open\n                              information security vulnerabilities or develop\n                              mitigation strategies if new system development is\n                              underway.\n                                   OCPO will ensure it develops mitigation\n                                   strategies for the known open information\n                                   security vulnerabilities.\n                                      Review vulnerabilities\n                                                                                     11/30/2008\n                                      NOTE: Vulnerability scans were requested\n                                                                                     Requested an\n                                      by OCPO 06/09/2010 through OIT and\n                                                                                     Extension\xe2\x80\x94\n                                      security office \xe2\x80\x93 estimated scan date by\n                                                                                     12/31/2009\n                                      06/14/2010 \xe2\x80\x93 Received the scans on\n                                                                                     7/31/2010      09/13/2010\n                                      09/13/2010. Working with OITS to analyze\n                                      the results\n\n\n                                    Develop mitigation strategy\n                                    NOTE: Upon completion of the scans,              09/13/2010     09/13/2010\n                                    mitigating strategies will be developed for      See Note       On Going\n                                    known vulnerabilities. Completion time is\n                                    dependent on the number of vulnerability\n                                    discovered\n\n\n\n                         4C   Designate a manager to assume responsibility for\n                              ensuring the Office of the Chief Procurement\n                              Officer\xe2\x80\x99s compliance with federal certification and\n                              accreditation process requirements and to provide\n                              \xe2\x80\x95continuous monitoring\xe2\x80\x96 of the office\xe2\x80\x99s information\n                              systems security.\n                                   OCPO will designate a manager responsible for     1/15/2007      03/13/2007\n                                   ensuring compliance with information systems\n                                   security and federal certification and\n                                   accreditation process.\n                                   OCPO will work with OCIO to define roles and\n                                   responsibilities and to ensure that appropriate   2/1/2007       2/1/2007\n\n\n                                                  90\n\x0cNoncompliance Issue(s)                        Tasks/Steps                             Target       Actual\n                                        (including Milestones)                      Completion   Completion\n                                                                                      Dates        Dates\n                                  resources are provided to perform required\n                                  monitoring and certification and accreditation.\n\n\n                         4D   Reevaluate the HUD Procurement System and\n                              Small Purchase System application systems\xe2\x80\x99\n                              security categorization in light of Office of\n                              Management and Budget guidance on personally\n                              identifiable information.\n                                  OCPO will reevaluate the HUD Procurement          8/31/2007    8/31/2007\n                                  System and Small Purchase System application\n                                  systems\xe2\x80\x99 security categorization in light of\n                                  Office of Management and Budget guidance on\n                                  personal identifiable information.\n\n                         4E   Perform a business impact analysis for the\n                              procurement systems. Based on the results of the\n                              impact analysis, determine what actions HUD can\n                              take to limit the amount of time needed to recover\n                              from the various levels of contingencies that can\n                              occur and include the determined actions in the\n                              contingency plans for the systems.\n                                   OCPO will develop a business impact analysis\n                                   for the procurement systems and revise the\n                                   contingency plan based on the BIA.\n                                        Develop business impact analyses            4/30/2007    06/06/2007\n                                        Incorporate BIA into contingency plans      9/30/2007    12/13/2007\n                         5A   Implement the HUD Integrated Acquisition\n                              Management System (HIAMS)\n                                   Complete Requirements Document                   06/26/2009   07/15/2009\n                                   Complete Statement of Work                       06/26/2009   07/15/2009\n                                   Re-Issue RFI to receive comments on SOW and      12/18/2009   12/18/2009\n                                   requirements\n                                   Review comments from RFI and update SOW          01/31/2010   01/31/2010\n                                   and requirements\n                                   Issue solicitation                               02/01/2010\n                                                                                    05/31/2010   06/02/2010\n                                  Purchase software                                 07/31/2010\n                                                                                    09/30/2010   09/27/2010\n                                  Configuration of software                         12/31/2010   07/29/2011\n                                    Configuration of the software has begun.        07/08/2011\n                                    The complete configuration will be\n                                    completed by October 2011 (FY 2012)\n                                  Testing/Training/Implementation                   10/28/2011\n\n\n\n\n                                                  91\n\x0c                 OFFICE OF THE CHIEF HUMAN CAPITAL OFFICER\n                        REMEDIATION PLAN AS of 09/30/2011\n\n           D67A Facilities Integrated Resources Management System (FIRMS)\n  Noncompliance Issue(s)                             Tasks/Steps                             Target         Actual\n                                               (including Milestones)                      Completion     Completion\n                                                                                             Dates          Dates\nINTERNAL CONTROLS\nOIG Audit Report #: 2010-     1A. Work with the Office of the Chief Information Officer    1/31/2011      Completed\nF0-0004                       to develop and implement a system that would allow                          1/31/2011\nReview of HUD\'s Property      OFMS to identify when equipment is purchased.\nand Equipment, issued 8-17-            The Office of the Chief Information Officer had\n10                                     developed and implemented the Automated\n                                       Bankcard System for tracking government credit\nFinding:                               card purchases. This system allows the Property\n                                       Management Branch (PMB) to view purchases to\n1. HUD lacked control over             determine accountability status. OCFS currently\n   the acquisition of\n                                       uses ANSWERS and provides a monthly report\n   accountable equipment\n                                       to PMB of all government credit card purchases\n      .\n                                       that are determined accountable.\n                                                                                           October 2011\n                              1B. Update and reissue the standard operating procedures\n                              and HUD handbooks for reporting the purchases and lease\n                              (when applicable) of equipment and implement a set of\n                              standard operating procedures for users of purchase cards,\n                              including procedures for but not limited to notifying\n                              OFMS of the purchase and delivery/receipt of accountable\n                              and sensitive equipment, so that the items can be recorded\n                              and bar coded by OFMS.\n                                       The SOPs have been updated and distributed to\n                                       OCPO, OCIO, OCHCO Support Services, and\n                                       OCFS. As of 3/21/2011 OCPO and OCIO have\n                                       concurred with the revisions in the SOP and will\n                                       begin implementation. Comments are\n                                       forthcoming from OCHCO Support Services and\n                                       OCFS for review and possible implementation.\nOIG Audit Report #: 2010-     2A. Coordinate with the Office of the Chief Financial        TBD\nF0-0004                       Officer, Office of the Chief Information Officer, and\nReview of HUD\'s Property      Office of the Chief Procurement Officer to develop and\nand Equipment, issued 8-17-   implement system interfaces, including but not limited to\n10                            interfaces between FIRMS and the core financial system\n                              and the acquisition system.\nFinding:\n                              2B. Develop and implement a process that can distinguish\n2. HUD\xe2\x80\x99s Property             between capitalized and expensed equipment in the            May 2010       Completed\n   Management System Had                                                                                  May 2010\n                              property management system.\n   Weaknesses\n\n\n\n\n                                                         92\n\x0c  OFFICE OF THE COMMUNITY PLANNING AND DEVELOPMENT\n              REMEDIATION PLAN AS of 10/25/2011\n\n\n                  Integrated Disbursement and Information System (IDIS)\n                     Disaster Recovery and Grant Reporting System (DRGR)\n                                                  Tasks/Steps                          Target        Actual\nNon-Compliance Issue(s)                     (including Milestones)                   Completion     Completio\n                                                                                       Dates         n Dates\nINTERNAL CONTROLS\nOIG Audit Report #2011-FO-0003, Issued 11/15/2010\n\nOIG Recommendations          Intermediate Resolution Plan\n1A.Cease the changes being   For OIG Recommendations 1A, 1B, 1C, 1D, 2F\n  made to IDIS for the       OIG is seeking a formal legal opinion from GAO\n  HOME program related       regarding the use of FIFO. Upon CPD\xe2\x80\x99s receipt of\n  to the FIFO rules until    GAO\xe2\x80\x99s legal opinion, CPD will begin preparing\n  the cumulative effect of   appropriate revised management decisions for the\n  using FIFO can be          recommendations and provide these revised proposed\n  quantified on the          management decisions to OIG within 60 days of the\n  financial statements.      receipt of the opinion. These proposals will include\n                             new final action target dates (FATD) to complete any\n1B. Change IDIS so that the actions in accordance with the legal opinion or a\n  budget fiscal year source request for concurrent closure, should the\n  is identified and attached Department\xe2\x80\x99s position prevail.\n  to each activity from the\n  point of obligation to     CPD will begin preparing appropriate revised\n  disbursement.              management decisions for recommendation 1A-D\n                             and provide these revised proposed management\n1C. Cease the use of FIFO    decisions to OIG within 60 days of the receipt of the\n  to allocate funds (fund    opinion.\n  activities) within IDIS\n  and disburse grant         Planned Timetable:\n  payments. Match outlays OIG submitted their formal request for legal opinion       5/17/11\n  for activity               regarding the use of FIFO - 5/17/11;\n  disbursements to the\n  obligation and budget      GAO provides their legal opinion - 7/31/11- Date not    7/31/11\n  fiscal source year in      met;                                                    OIG HAS\n  which the obligation was                                                           not received\n  incurred, and in addition,                                                         a response\n  match the allocation of                                                            from GAO.\n  funds (activity funding)\n  to the budget fiscal year  CPD provides revised management decisions based         6/21/2012\n  source of the obligation. on their interpretation of the legal opinion -\n                             6/21/2012.\n1D. Include as part of the\n  annual CAPER, a\n  reconciliation of HUD\'s\n  grant management\n\n\n                                                 93\n\x0c                                                    Tasks/Steps                           Target        Actual\nNon-Compliance Issue(s)                       (including Milestones)                    Completion     Completio\n                                                                                          Dates         n Dates\n  system, IDIS, to grantee\n  financial accounting\n  records on an individual\n  annual grant basis, not\n  cumulatively, for each\n  annual grant awarded to\n  the grantee.\nOIG Audit Report #2011-FO-0003, Issued 11/15/2010\nOIG Recommendations            For OIG Recommendation 2F\n2F. For grantees which do      CPD will revisit the issue after GAO issues its\n  not comply with              opinion to determine what impact if any that it has on\n  program regulations, de-     Grant Reductions. OIG is seeking a formal legal\n  obligate the funds related   opinion from GAO regarding the use of FIFO. Upon\n  to the non-compliance        CPD\xe2\x80\x99s receipt of GAO\xe2\x80\x99s legal opinion, CPD will\n  from the older applicable    begin preparing appropriate revised management\n  grant award and not the      decisions for recommendations 1A, 1B, 1C, 1D and\n  current available for        2F and provide these revised proposed management\n  obligation awards.           decisions to OIG within 60 days of the receipt of the\n                               opinion. These proposals will include new final\n                               action target dates (FATD) to complete any actions\n                               in accordance with the legal opinion or a request for\n                               concurrent closure, should the Department\xe2\x80\x99s position\n                               prevail.\n\n                               CPD will begin preparing appropriate revised\n                               management decisions for recommendation 1A-D\n                               and provide these revised proposed management\n                               decisions to OIG within 60 days of the receipt of the\n                               opinion.\n                                                                                                       .\n                               Planned Timetable:\n                               OIG submits their formal request for legal opinion       5/17/11\n                               regarding the use of FIFO - 5/17/11;\n                               GAO provides their legal opinion - 7/31/11- Date not     7/31/11\n                               met;                                                     OIG HAS\n                                                                                        not received\n                                                                                        a response\n                                                                                        from GAO\n\n                            CPD provides revised management decisions based             6/21/2012\n                            on their interpretation of the legal opinion -\n                            6/21/2012.\nOIG Audit Report # 2009-DP-0007, Issued 9-30-2009\nOIG Recommendations         Recommendation 1A                                           3/26/2010      3/26/2010\n1A. Complete                Completed establishment of policies and procedures\n  establishment of policies requiring that all access-related requests for HUD\n  and procedures requiring employees be processed through CHAMP.\n\n                                                   94\n\x0c                                                    Tasks/Steps                           Target      Actual\nNon-Compliance Issue(s)                       (including Milestones)                    Completion   Completio\n                                                                                          Dates       n Dates\n  that all access-related\n  requests for HUD\n  employees be processed\n  through CHAMP\n1B. Provide a listing of all   Recommendation 1B                                        3/26/2010    3/26/2010\n  HUD employees with           Provided a listing of all HUD employees with access\n  access to the DRGR           to the DRGR application and their access level to the\n  application and their        Office of the Chief Information Officer, Office of\n  access level to the Office   Information Technology Support Services, for\n  of the Chief Information     recording in CHAMP.\n  Officer, Office of\n  Information Technology\n  Support Services, for\n  recording in CHAMP\n1C. Establish rules of         Recommendation 1C                                        3/26/2010    8/1/2010\n  behavior for each type of    Electronic acceptance of Rules of Behavior (ROB)\n  DRGR user. Implement         in DRGR were included in Release 7.0 deployed\n  policies and procedures      September 2, 2010. HUD has implemented a\n  requiring users to           standard CIO and/or CPD rules of behavior forms\n  complete and sign the        for DRGR as part of this release along with a time\n  rules of behavior form       stamp for electronic signature of the ROB.\n  when access is granted       Standard rules can be modified by user role, as\n  and annually at              needed. Copies of the standard ROB are attached.\n  recertification.\n1D.Establish a formal          Recommendation 1D Established Prior to Release           3/26/2010    3/26/2010\n  process for grantee users    7.0, DRGR had a formal process in place that\n  requesting access to the     incorporates verifications of each grantee user both\n  application. This            by HUD field staff and by the grantee\xe2\x80\x99s own system\n  process should include a     administrator by email. DRGR already required\n  requirement that an          grantees to submit email requests to CPD field\n  official from the            offices for verification and approval. DRGR also\n  applicant\xe2\x80\x99s organization     required that grantee system administrators\n  authorize the request and    authorize each user\xe2\x80\x99s access to each grant. Under\n  the type of access           Release 7.0 deployed Sept. 2, 2010, DRGR now\n  required.                    requires additional certifications within DRGR based\n                               on user roles for new accounts. HUD headquarters\n                               DRGR system administrators in CPD will certify CPD\n                               field managers. CPD field managers will certify their\n                               CPD field staff accounts in DRGR. CPD field staff will\n                               certify grantee contacts and grantee system\n                               administrators by email and within DRGR. Grantee\n                               DRGR administrators will in turn certify other\n                               grantee users. Copies of these screens are shown in\n                               the attached summary of new functions under\n                               Release 7.0.\n1E. Implement a formal         Recommendation 1E Under Release 7.0                      3/26/2010    8/1/2010\nuser recertification process   deployed September 2, 2010, DRGR now requires\nfor all DRGR users.            additional semi-annual re-certifications within\n\n                                                   95\n\x0c                                                    Tasks/Steps                         Target      Actual\nNon-Compliance Issue(s)                       (including Milestones)                  Completion   Completio\n                                                                                        Dates       n Dates\n                                DRGR based on user roles for new accounts. HUD\n                                headquarters DRGR system administrators in CPD\n                                will recertify CPD field managers. CPD field\n                                managers will recertify their CPD field staff\n                                accounts in DRGR. CPD field staff will recertify\n                                grantee contacts and grantee system\n                                administrators by email and within DRGR.\n                                Grantee DRGR administrators will in turn\n                                recertify other grantee users. Each user\n                                authorized to certify other users may also\n                                decertify users at any time, as needed. Copies of\n                                these screens are shown in the attached summary\n                                of new functions under Release 7.0.\n2A. Work with its               Recommendation 2A                                      3/26/2010   8/1/2010\ncontractors to update           CPD and CIO have been working on updated\nconfiguration management        configuration and contingency plans as part of its\nand contingency plans.          ongoing system development and management efforts.\n                                These plans are done by HUD staff rather than\n                                contractors. This effort is targeted to be complete as\n                                part of a summer 2010 release in production. All\n                                updated plans from Release 6.5.3 are attached.\n2B. Work with its               Recommendation 2B Work with its contractors            3/26/2010   3/26/2010\ncontractors to create system    to create system and user manuals for the\nand user manuals for the        application.\napplication.\n2C. Initiate testing of the     Recommendation 2C                                     3/26/2010    3/26/2010\napplication contingency         CPD and CIO have been working on updated\nplan, once updated, and         configuration and contingency plans as part of its\nprocedures to ensure that       ongoing system development efforts. Updated\nannual testing is completed.    documents from Release 6.5.3 are attached. CPD\xe2\x80\x99s\n                                System Development and Evaluation Division\n                                (SDED) submitted a request in September of 2010\n                                that DRGR be tested as a major system, but no test\n                                has been scheduled yet.\n2D. Review and revise the       Recommendation 2D CPD and CIO have been               3/26/2010    8/1/2010\nrisk assessment to include      working on updated configuration and\nonly controls that are active   contingency plans as part of its ongoing system\nand in place.                   development efforts. Update of Risk Assessment\n                                is scheduled for next release as part of Work\n                                Request 2009-003a. Updated documents related\n                                to Risk Assessments from Release 6.5.3 are\n                                attached.\n2E. Review and revise all       Recommendation 2EFunctional requirements              3/26/2010    8/1/2010\nsystem documentation to         documents discussed during the audit are design\nensure that the information     documents intended to guide development for\nis accurate and that only       system programmers. HUD will continue to work\nvalid information are\n\n                                                   96\n\x0c                                                  Tasks/Steps                        Target      Actual\nNon-Compliance Issue(s)                     (including Milestones)                 Completion   Completio\n                                                                                     Dates       n Dates\nmaintained within the          with contractors to ensure that official\ndocument.                      documentation for the DRGR system includes only\n                               accurate and valid information. CPD and OCIO\n                               will continue to require contractors to update\n                               functional requirements and other required\n                               system documentation as changes are made to the\n                               system. CPD and OCIO will continue to review\n                               these documents with each new set of\n                               enhancements. Updated functional requirement\n                               documents from Release 6.5.3 are attached.\n2F. Submit the revised         Recommendation 2F CPD and CIO have been             3/26/2010    3/26/2010\ndocumentation to the           working on updated configuration and\nauthorizing official for use   contingency plans as part of its ongoing system\nin the certification and       development efforts. All revised documentation\naccreditation process.         for use in the C & A process was approved by CPD\n                               in June of 2010. Updated materials related to\n                               Release 6.5.3 are attached.\nOIG Recommendations            Recommendation 3A CPD separated the duties          3/26/2010    3/26/2010\n3A. Separate the duties of     of security administration and system\nsecurity administration and    administration for the DRGR application.\nsystem administration for\nthe DRGR application.\n3B. Remove the ability to      Recommendation 3B CPD will continue to              3/26/2010    9/15/2010\nmodify grantee data from       restrict HUD accounts that allow edits to grantee\nHUD staff members that do      reporting data using the grantee simulator role.\nnot require it.                CPD has enforced DRGR controls that will not\n                               permit any HUD super-users to alter any\n                               drawdown data under DRGR Release 6.3 deployed\n                               in January of 2009. Financial data of this nature\n                               can only be directly altered by DRGR grantee\n                               users that have been authorized by the grantee\n                               and HUD field staff familiar with grantee\n                               operations. The ability to edit grantee reporting\n                               data on their behalf will remain restricted to a\n                               very small number of HUD HQ users in order to\n                               provide technical assistance for DRGR data entry\n                               problems, as needed. HUD will continue to\n                               document any such requests by email and will\n                               issue a contractor work request to support the\n                               creation of DRGR reports which track all data\n                               edits performed using the grantee simulator. A\n                               work request, including this item was approved\n                               by GSA in August of 2010. Copies are attached.\n3C. Take steps to fund the     Recommendation 3C CPD Took steps to fund the        3/26/2010    3/26/2010\nuse of the CPD contractor      use of the CPD contractor to perform the help\nto perform the help desk       desk function for the DRGR application.\n\n\n                                                 97\n\x0c                                                  Tasks/Steps                      Target      Actual\nNon-Compliance Issue(s)                     (including Milestones)               Completion   Completio\n                                                                                   Dates       n Dates\nfunction for the DRGR\napplication.\nOIG Recommendations            Recommendation 4A CPD and OCIO will work          3/26/2010    8/1/2010\n4A. Work with its              with contractor (CACI) to ensure computer\ncontractors to ensure that     processes, both internal and external to the\ncomputer processes, both       system, are documented and tested in accordance\ninternal and external to the   with NIST 800-53. Updated functional\nsystem, are documented         requirement documents from Release 6.5.3 are\nand tested in accordance       attached.\nwith NIST SP 800-53,\nwhich is incorporated in\nHUD policy (HUD\nHandbook 2400.25, REV-\n2).\n4B. Work with its              Recommendation 4B CPD and CIO will continue to    3/26/2010    8/1/2010\ncontractors to ensure that     work with contractors to ensure that official\ntests of drawdown controls     documentation for the DRGR system includes only\nand transaction processing     accurate and valid information. Updated\nreports are performed as       functional requirement documents from Release\nstated in the functional       6.5.3 are attached.\nrequirements\ndocumentation or if other\ncontrols are used, removes\nstated controls not in use\nfrom system\ndocumentation.\n\n\n\n\n                                                98\n\x0cAppendix D\n\n\n     SCHEDULE OF FUNDS TO BE PUT TO BETTER USE\n\n                           Recommendation         Funds to be put\n                               number             to better use 1/\n                                   2.a.                $1.7M\n                                   2.b.                $32M\n                                   2.d.                $3.8M\n                                   2.e.                $0.9M\n                                   2.f.                $24M\n                                   2.i.               $18.3M\n                                   5.c.               $820M\n                                   5.d.                 $1B\n                                   7.b.              $471.8M\n\n\n\n1/   Recommendations that funds be put to better use are estimates of amounts that could be\n     used more efficiently if an OIG recommendation is implemented. These amounts include\n     reductions in outlays, deobligation of funds, withdrawal of interest, costs not incurred by\n     implementing recommended improvements, avoidance of unnecessary expenditures\n     noted in preaward reviews, and any other savings that are specifically identified.\n\n\n\n\n                                             99\n\x0cAppendix E\n\n             AUDITEE COMMENTS\n\n\n\n\n                    100\n\x0c101\n\x0c102\n\x0cAppendix F\n\n                      OIG Evaluation of Agency Comments\n\nHUD\xe2\x80\x99s management generally disagrees with our presentation of the findings in this report.\nWhile management only provided formal comments on 3 of the 7 Significant Deficiencies, they\nnon concurred on the significant deficiencies related to the noncompliance of financial\nmanagement systems with FFMIA; oversight and monitoring of subsidy calculations and the use\nof HCVP and Operating Subsidy program funds; the need to improve administrative control of\nfunds. HUD was in general agreement with our presentation of the findings related to the need\nto improve information security.\n\nIn regards to HUD management\xe2\x80\x99s formal comments:\n\nEmergency Home Loan Program\nHUD disagreement with our reporting of the Emergency Home Loan Program relates to the\nreturn of $472 million of unobligated funds. Due to delays in establishing the EHLP, HUD only\nobligated $528 million of the $1 billion appropriated for the EHLP. The Dodd-Frank Act\nspecified a time period, October 1, 2010 to September 30, 2011 when emergency mortgage relief\npayments could be obligated. Under current law, no additional loans can be made and additional\nobligations can only be made for increases to existing loan amounts and administrative costs.\nTherefore, HUD has no legal basis for retaining the remaining unobligated funds beyond the\nstated needs We are recommending that HUD seek the authority from Congress to return to the\nU.S. Treasury up to $472 million in funds not needed for potential upward adjustments to current\nloan obligations and future administrative costs for the existing program.\n\nFederal Financial Management Improvement Act of 1996\nHUD\xe2\x80\x99s disagreement on its non compliance with FFMIA has two components, HUD\xe2\x80\x99s entity\nwide integrated financial management system and CPD formula grant accounting.\n\n First, HUD continues to hold their long stated position, that while acknowledging deficiencies,\nits entity wide integrated financial management system is compliant with FFMIA. HUD agrees\nthat their systems processes can be more efficiently integrated to eliminate the need for existing\ncompensating controls, nevertheless management feels the existing environment is substantially\ncompliant and not at material risk of misreporting. The deficiencies noted in HUD\xe2\x80\x99s financial\nmanagement systems are due to the current financial system being developed prior to the\nissuance of current requirements. The system is also technically obsolete, has inefficient multiple\nbatch processes, and requires labor-intensive manual reconciliations. Because of these\ninefficiencies, HUD\xe2\x80\x99s management systems are unable to routinely produce reliable, useful, and\ntimely financial information. This weakness manifests itself by limiting HUD\xe2\x80\x99s capacity to\nmanage with timely and objective data, and thereby hampers its ability to effectively manage and\noversee its major programs. In addition, the Department has not met the minimum set of\nautomated information resource controls relating to Entity-wide Security Program Planning and\nManagement as required by FISMA and OMB Circular A-130 Appendix III.\n\n                                               103\n\x0cSecond, HUD still believes that the CPD\xe2\x80\x99s formula grant programs are compliant and that our\nFFMIA noncompliance conclusion due to CPD grant accounting departures from U.S.GAAP and\nweaknesses in internal controls over financial reporting do not fully take into account the nature\nof block grants. We disagree with their assessment and believe that CPD formula grants need to\ncomply with budgetary controls and Federal financial management requirements related to the\nmatching of outlays to source of funds by appropriation year.\n\nWe will continue to work with HUD so that they can understand and correct the control\ndeficiencies in their grant management systems as well as remedy the accounting and financial\nreporting non compliance issues related to CPD formula grants.\n\nErroneous Payments\nIn their response to this report, HUD takes exception to our methodology in calculating this\npercentage. Our calculation differs from HUD\xe2\x80\x99s because we excluded program expenditures for\nMoving to Work PHAs not included in the universe for testing (in HUD\xe2\x80\x99s Quality Control (QC)\nStudy and Income Match Study) and administrative fees.\n\nWe found that HUD calculated the projected gross error using the $32 billion total housing\nassistance expenditures reported in the fiscal year 2010 financial statements. However, the $32\nbillion includes $6.2 billion in administrative fees and Moving to Work program subsidies. The\n$6 billion is approximately the difference between the $32 billion that HUD reported in fiscal\nyear 2010 financial statements and the $26 billion in disbursements that we found to be\nattributable to the quality control and income match studies.\n\nThe MTW PHAs transactions were removed from the population before the sample was selected,\nand they were not part of the population when the error was projected. HUD was aware of their\nremoval from the population. Therefore, their inclusion in the total program payments to\ncalculate the improper payments errors can mislead the readers of HUD\xe2\x80\x99s financial statements.\n\nFor the administrative expenses, a HUD official justified that these expenses paid to the\n\xe2\x80\x95program administrators are an integral part of the program payments.\xe2\x80\x96 However, the fiscal year\n2010 QC study only tested the rental subsidies paid to the tenants; the administrative expenses\nwere not tested for improper payments. The fiscal year 2010 QC study population included \xe2\x80\x95all\nprojects and tenants.\xe2\x80\x96 Hence, the population consisted only of units occupied by the tenants. It\nwas the tenant files, selected by the contractor. that were reviewed, and tenants that were\ninterviewed not the administrators of the PHAs and/or owners of administered homes. As a\nresult, because the administrative money paid to the PHA administrators and/or owner\nadministered homes were not tested; the expenses should be excluded from the total program\npayments.\n\nAs a result for fiscal year 2011, we are reporting the fiscal year 2010 improper payments\nprojections and errors without comparing the results to the previous years as this year\xe2\x80\x99s result is\nnot comparable to the projections in the prior years.\n\nWe believe our method and calculations to be valid and accurate. We will continue to work with\nHUD on this issue.\n                                                104\n\x0cAdministrative Control of Funds\nHUD also did not agree with the categorization of our observation that HUD Needs to Improve\nAdministrative Control of Funds as a significant deficiency. We take exception to HUD\xe2\x80\x99s\nposition that the requirement for documenting controls over funds administration ends at the\npoint of obligation when compliance with the provisions of the Anti Deficiency Act is ensured.\nDefects in HUD\xe2\x80\x99s design and implementation of the administrative control of funds have been\nidentified and discussed with HUD since fiscal year 2005. Our justification for reporting this\nissue as a significant deficiency this year was that (1) not all programs that incurred obligations\nor disbursements had acceptable funds control plans and (2) the funds control plans were not\ncomplete, accurate, updated and complied with by the program offices. Additionally, we noticed\nthat funds control plans were not always updated to reflect all program codes and did not always\ninclude the correct appropriations. We also noted that the Office of the Chief Financial Officer\n(OCFO) had not ensured the effective administrative control of funds process as required by\nHUD\xe2\x80\x99s Policies Handbook 1830.2. Incomplete implementation of administrative control of\nfunds has been a long-standing issue and has been previously reported since fiscal year 2005 in\nour audit reports and management letters.\n\n\n\n\n                                               105\n\x0c'